Moorcam
-
Posts
197 -
Joined
-
Last visited
Posts posted by Moorcam
-
-
2 minutes ago, Barand said:
Change to
$id = $_GET['id'] ?? DEFAULT_ID;
Thanks mate.
-
Got it to work by using an If statement as such:
if(mysqli_real_escape_string($con, $_GET['id']=="")){ $sql = "SELECT * FROM pages WHERE name = 'Home'"; $result = $con->query($sql); if ($result->num_rows > 0) { while($row = $result->fetch_assoc()) {
Most likely not the most correct way to do it but it works.
-
1 minute ago, benanamen said:
Your code is vulnerable to an SQL Injection Attack. You need to use Prepared Statements.
NEVER EVER PUT VARIABLES IN YOUR QUERY
Thanks for pointing that out. Yes, I agree. It is only a project that will be fixed up as time goes on. For now I just want to get everything working and then I can modify MySQL code where required.
-
Hi folks,
I am in the middle of creating a CMS as a project. It's going pretty well so far but I am stuck and hoping to get some guidance.
When loading the main website, I want the contents from "Home" in the database to display unless a menu item is clicked.
Here is what I have so far:
<?php include_once('includes/header.php'); require_once('admin/includes/config.php'); ?> <div class="hero-wrap" style="background-image: url('images/uluru.jpg');" data-stellar-background-ratio="0.5"> <div class="overlay"></div> <div class="container"> <div class="row no-gutters slider-text justify-content-start align-items-center"> <div class="col-lg-6 col-md-6 ftco-animate d-flex align-items-end"> <div class="text"> <h1 class="mb-4">Coaches For Hire <span>Book Now!</span></h1> <p style="font-size: 18px;">The local Anangu, the Pitjantjatjara people, call the landmark Uluṟu (Pitjantjatjara [ʊlʊɻʊ]). This word is a proper noun, with no further particular meaning in the Pitjantjatjara dialect, although it is used as a local family name by the senior Traditional Owners of Uluru.</p> <a href="https://www.youtube.com/watch?v=biuYA54nb7Y" class="icon-wrap popup-vimeo d-flex align-items-center mt-4"> <div class="icon d-flex align-items-center justify-content-center"> <span class="ion-ios-play"></span> </div> <div class="heading-title ml-5"> <span>Learn more about Uluru</span> </div> </a> </div> </div> <div class="col-lg-2 col"></div> <div class="col-lg-4 col-md-6 mt-0 mt-md-5 d-flex"> <form action="#" class="request-form ftco-animate"> <h2>Get A Quote</h2> <div id="searchBoxContainer" class="form-group"> <label for="searchBox" class="label">Pick-Up Location</label> <input class="form-control" type="text" id="searchBox" placeholder="Start Typing..." /> </div> <div id="searchBoxContainerAlt" class="form-group"> <label for="searchBoxAlt" class="label">Drop-Off Location</label> <input type="text" class="form-control" id="searchBoxAlt" placeholder="Start Typing..." /> </div> <div class="d-flex"> <div class="form-group mr-2"> <label for="" class="label">Departure Date</label> <input type="text" class="form-control" id="book_pick_date" placeholder="Date"> </div> <div class="form-group ml-2"> <label for="" class="label">Return Date</label> <input type="text" class="form-control" id="book_off_date" placeholder="Date"> </div> </div> <div class="d-flex"> <div class="form-group mr-2"> <label for="" class="label">Pick-Up Time</label> <input type="text" class="form-control" id="time_pick" placeholder="Time"> </div> <div class="form-group ml-2"> <label for"" class="label">Passenger Numbers</label> <input type="number" class="form-control" placeholder="Amount" /> </div> </div> <div class="form-group"> <input type="submit" value="Request Quote" class="btn btn-primary py-3 px-4"> </div> </form> </div> </div> </div> </div> <script type="text/javascript" src="https://www.bing.com/api/maps/mapcontrol?key=AqIY0ivSCCdBIe3-EKGuox9cwBFw2wWRWIErZi1iy57EfD67PoiSra9wl_wu48de&callback=bingMapsReady" async defer></script> <?php $id = $_GET['id']; $sql = "SELECT * FROM pages WHERE id = $id"; $result = $con->query($sql); if ($result->num_rows > 0) { while($row = $result->fetch_array()) { ?> <!-- HOW IT WORKS --> <section class="ftco-section ftco-no-pt ftco-no-pb"> <div class="container"> <div class="row no-gutters"> <div class="col-md-12 wrap-about py-md-5 ftco-animate"> <div class="heading-section mb-5 pl-md-5"> <span class="subheading"><?php echo $row['description']; ?> </span> <h2 class="heading"><?php echo $row['name']; ?></h2> <?php echo $row['body']; ?> </div> </div> </div> </div> </section> <?php } } ?> <!-- FOOTER --> <?php include_once('includes/footer.php'); ?>
I hope you can help and that I am making sense.
Cheers,
Dan
-
Use MySQLi or PDO. MySQL is deprecated since php 5.5 and completely removed from php 7.
-
Thanks gizmola,
Much appreciated. Still learning.
-
Fixed.
For some reason the Google API was affecting it.
Basically, the URL was not authorized to use the API so once I did that, all errors disappeared. No idea how it caused an Undefined Index though. But all is good.
-
Hi all,
Strange one.
I have Google Maps Places API added to a text field for Autocomplete purposes. However, if I add the id="address" to the text field and save the data I get Undefined Index.
Here is the text field:
<div class="form-group"> <label><?php echo $lang_company_address; ?></label> <input type="text" class="form-control" id="address" name="company_address" value="<?php echo $row['company_address']; ?>"/> </div>
Here is where I am getting the Undefined error:
$company_address = mysqli_real_escape_string($mysqli, $_POST['company_address']);
And here is the Google JS code:
<script> function initMap(){ var autocomplete = new google.maps.places.Autocomplete($("#address")[0], {}); google.maps.event.addListener(autocomplete, 'place_changed', function() { var place = autocomplete.getPlace(); console.log(place.address_components); }); } </script>The script above works fine. Although I do get the dreaded Ooops Something went wrong error, which I presume is tied to the above somehow.
The API key is called as below:
<script src="https://maps.googleapis.com/maps/api/js?key=<?php echo $row['google_api']; ?>&libraries=places&callback=initMap" async defer></script>
The key is stored in the database.
Any ideas?
-
Then use the ID from the URL. Not from the database. The URL. As in:
$id = mysqli->real_escape_string($_GET['tour_id']);
Thank you.
I tried that and it first stated that -> was unexpected. I changed -> to _ and get the following:
$tour_id = mysqli_real_escape_string($mysqli, $_GET['tour_id']);
It works.
Thank you so much. I really appreciate your help and guidance. I promise not to come and ask questions unless I am really stuck, just like today.
*virtual handshake *
Danno
-
Then obviously $row['id'] is not what you want (wherever it comes from).
Why are you not using the ID from the URL?
I am.
The one in the URL is from the DB.
<?php echo $row['tour_id']; ?>
I am using the same echo statement on the page but not getting anything.
I changed to tour_id in the db and code to see if that would help. Thought there might be a possible mixup with another piece of code but still nothing. But if I remove the WHERE clause, it will show data. I just want to show the data that is compared to the id in the url.
-
Thank you.
I meant in general. Most programmers will fill you with Jargon while trying to help. I get lost at times.
The dump shows: string(0)
Strange hey.
-
Unfortunately, we're not clairvoyant (even though that would definitely be useful for a lot of questions).
So what does $id actually say? Is it what you think it is? Where does it come from? Oddly, you seem to take it from the result set of some other query when it should come from the URL paramaters according to your description.
Besides that: You say you prefer mysqli, but you have not really bothered to learn it. mysqli supports prepared statements, there's absolutely no reason to rely on obsolete and fragile manual escaping. There's also no reason to check the number of rows before the fetch loop when the fetch loop itself already does that. You don't seem to have any error checking. And you should not mix the procedural mysqli API with the object-oriented API. Pick one and stick with it.
This kind of shows why we recommend against mysqli. It's obviously too complicated for the average programmer.
Hi,
Thanks for the reply.
I am learning mate, which is why I have come here. It's easy for experienced programmers like your good self to say do this and that and use the jargon to describe what it is we should be doing. But for us, less average programmer-wannabes the jargon is something that we find hard at times to understand.
So to say I am not bothered to learn MySQLi is a little harsh to be honest. Not being rude, just stating, because I am TRYING to learn.
I am using MySQLi because I haven't coded in like 15 years and always used MySQL. I know I should use PDO. I will eventually. This project is just to get my feet wet again.
Here is what I am using to call the ID into the URL, as I feel this maybe contributing to the issue. However, I am unsure if this is the correct way or not. Been trying to find similar things on Google but can't find anything on it.
<td><a href="tourdetails.php?tour_id=<?php echo $row['tour_id']; ?>"><?php echo $row['tour_name']; ?></a></td>
Thanks in advance if anyone can put me in the right direction.
-
Where is your update code? You only have a SELECT query there.
Also, MySQL is deprecated. Change over to MySQLi or PDO.
-
Hi mate,
Not being rude but nobody will go to your site to look for the issue. Not that they just don't want to. Lots of people are nervous of possible infections.
Your best bet is to post your code here and also the error you are getting so people who are experienced with the script you are using can help.
-
Would help to show your PHP code where you are selecting from the db to populate in the first place. All that jazz.
-
Hi folks,
I know people will say, "You should use PDO" but I prefer MySQLi for the time being.
I am trying to display data based on its ID from the database by using the following. However, if I use:
WHERE id='$id'
Nothing appears.
Basically, what I am doing is, when someone clicks a link, it will open a new page displaying the content related to the link they clicked. The URL will show the ID, which works fine, such as:
domain.com/details.php?id=245
If I remove the WHERE clause, all rows are shown.
If I use the WHERE clause, nothing is shown. No errors either.
Here is the code in question:
<?php $id = mysqli_real_escape_string($mysqli, $row['id']); $sql = "SELECT * FROM tours WHERE id = '" . $id. "'"; $result = $mysqli->query($sql); if ($result->num_rows > 0) { while($row = $result->fetch_assoc()) { ?> <h3><?php echo $row['tour_name']; ?></h3> <?php } } ?>Any help would be appreciated.
Cheers
Danno
-
It's not. But it's a lot easier to use and works with all mainstream database systems, not just MySQL.
mysqli is a low-level interface, which means the programmer has to do a lot of work to get things done, and many steps aren't very intuitive. Executing a prepared statement and fetching the data requires no less than five(!) different functions. With PDO, you just need PDO::prepare(), PDOStatement::execute() and one of the fetch methods (you can even iterate over the result set with a foreach loop).
Even worse, mysqli creates a “vendor lock-in”. You can't just switch to a different database system, even if it can run all your SQL queries just fine. You'd have to go through your entire code, remove the mysql parts, learn a new interface and start all over again. With PDO, you just have to change the parameters of the initial connection and maybe update a few queries where you use MySQL-specific syntax.
Thanks for that.
Well, it looks like PDO is the way to go then. It had been suggested before by bananamen but never got round to using it.
Will be away for a few days but will have the laptop so if I get a few hours on New Years Day will change to PDO.
Thanks again and Happy New Year.
-
Thanks for the feedback and input guys. I really appreciate it.
I haven't used php and mysql for a lifetime. Recently just started to get back into it. So a bit of a learning curve with a dash of hit and miss as I go. So I really appreciate the guidance.
People are raving about this PDO thingy. Will this work on MySQL servers? I have been told it is a lot more secure than MySQLi etc.
I really need to find the time (between work etc) to sit down and actually read up on all of these changes that were made since I did it around 2005 lol
-
Silly Irish man.
I forgot to set a Unique key in the database.
Works fine now.
Sorry for the hassle and thanks again.
-
Hi all,
In a pickle again.
I am trying to update a database from a html table, which I will post below.
The issue is, if I have more than one entry in the table, clicking update will change all entries with the changes mate.
Here is the update code along with the HTML table:
<div class="panel-body"> <div class="table-responsive"> <form role="form" action="" method="post"> <?php if(isset($_POST['Submit'])){//if the submit button is clicked $id = mysqli_real_escape_string($mysqli, $_POST['id']); $fname = mysqli_real_escape_string($mysqli, $_POST['fname']); $lname = mysqli_real_escape_string($mysqli, $_POST['lname']); $email = mysqli_real_escape_string($mysqli, $_POST['email']); $phone = mysqli_real_escape_string($mysqli, $_POST['phone']); $sql="UPDATE clients SET fname='$fname', lname='$lname', email='$email', phone='$phone'"; $mysqli->query($sql) or die(mysqli_error($mysqli));//update or error } ?> <table class="table table-striped table-bordered table-hover" id="tab_logic"> <thead> <tr> <th>Client ID</th> <th>First Name</th> <th>Last Name</th> <th>Email</th> <th>Phone</th> </tr> </thead> <?php if (isset($_POST['Delete'])){ $checkbox = $_POST['checkbox']; $count = count($checkbox); for($i=0;$i<$count;$i++){ if(!empty($checkbox[$i])){ /* CHECK IF CHECKBOX IS CLICKED OR NOT */ $id = mysqli_real_escape_string($mysqli,$checkbox[$i]); /* ESCAPE STRINGS */ mysqli_query($mysqli,"DELETE FROM clients WHERE id = '$id'"); /* EXECUTE QUERY AND USE ' ' (apostrophe) IN YOUR VARIABLE */ } /* END OF IF NOT EMPTY CHECKBOX */ } /* END OF FOR LOOP */ } /* END OF ISSET DELETE */ $sql = "SELECT id, fname, lname, email, phone FROM clients"; $result = $mysqli->query($sql); if ($result->num_rows > 0) { while($row = $result->fetch_assoc()) { $id = mysqli_real_escape_string($mysqli, $row['id']); ?> <tbody> <tr id='addr0'> <td> <input type="text" size="5" name='id' placeholder='01' class="form-control" value="<?php echo $row['id']; ?>"/> </td> <td> <input type="text" name='fname' placeholder='First Name' class="form-control" value="<?php echo $row['fname']; ?>"/> </td> <td> <input type="text" name='lname' placeholder='Last Name' class="form-control" value="<?php echo $row['lname']; ?>"/> </td> <td> <input type="text" name='email' placeholder='Email' class="form-control" value="<?php echo $row['email']; ?>"/> </td> <td> <input type="text" name='phone' placeholder='Phone' class="form-control" value="<?php echo $row['phone']; ?>"/> </td> <td> <input name="checkbox" value="0" type="hidden"> <?php echo "<td><input type='checkbox' name='checkbox[]' value='$id'></td>"; ?> </td> </tr> <tr id='addr1'></tr> </tbody> <?php } } $mysqli->Close(); ?> </table> <a href="new-client.php" type="submit" class="pull-left btn btn-success">Add New Client</a><button type="submit" name="Submit" class="btn btn-success">Save Changes</button> <input type="submit" name="Delete" class="pull-center btn btn-success" value="Delete Selected" /> </form> </div> </div> </div> </div> </div> </div>Please note that deleting works fine. Adding is done from a separate file.
Any help would be appreciated.
Cheers,
Dan
-
Hi bananamen,
Thank you so much. I really appreciate you taking the time to help.
The issues of html vanishing has been resolved as is the correct name being displayed, thanks to your instructions.
Regarding PDO and password_hash, I will be changing over to these when I get home later.
Thanks so much again. You are a legend.
Cheers,
Danno
-
No. What you have is nothing close to login code. I will let someone else take it from here.
As I said, the above code is not the login. This is the Index after login is completed.
Here is the login code:
<?php // Coach Manager // Version 0.0.0.1 // Author Dan O'Riordan session_start(); if (isset($_SESSION['id'])) { header("Location: index.php"); } include_once 'includes/config.php'; include_once 'includes/db_connect.php'; //check if form is submitted if (isset($_POST['login'])) { $email = mysqli_real_escape_string($mysqli, $_POST['email']); $password = mysqli_real_escape_string($mysqli, $_POST['password']); $psalt = 'eghriwugfro78974togfg0487tr'; $password = hash('sha256', $password); $result = mysqli_query($mysqli, "SELECT * FROM admin_users WHERE email = '" . $email. "' and password = '" .$password . "'"); if ($row = mysqli_fetch_array($result)) { $_SESSION['id'] = $row['id']; $_SESSION['fname'] = $row['fname']; header("Location: index.php"); } else { $errormsg = "Incorrect Email or Password Combination!"; } } ?> <!DOCTYPE html> <html > <head> <meta charset="UTF-8"> <title>Tour Manager | Login</title> <!-- FONTAWESOME STYLES--> <link rel="stylesheet" href="assets/font-awesome/css/font-awesome.min.css" rel="stylesheet" /> <link rel='stylesheet prefetch' href='http://netdna.bootstrapcdn.com/bootstrap/3.0.2/css/bootstrap.min.css'> <link href="css/styles.css" rel="stylesheet"> </head> <body> <div id="loginModal" class="modal show" tabindex="-1" role="dialog" aria-hidden="true"> <div class="modal-dialog"> <div class="modal-content"> <div class="modal-header"> <h1 class="text-center">Tour Manager</h1> </div> <div class="modal-body"> <form class="form-signin" role="form" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" name="loginform"> <div class="form-group"> <input type="text" name="email" required class="form-control input-lg" placeholder="Email"> </div> <div class="form-group"> <input type="password" name="password" required class="form-control input-lg" placeholder="Password"> </div> <div class="form-group"> <button class="btn btn-primary btn-lg btn-block" name="login">Sign In</button> <span class="text-danger"><strong><?php if (isset($errormsg)) { echo $errormsg; } ?></strong></span> </div> </form> </div> <div class="modal-footer"> <div class="col-md-12"> Powered by <a href="http://www.danethical.com" target="_blank">Tour Manager</a> </div> </div> </div> </div> </div> <!-- script references --> <script src="//ajax.googleapis.com/ajax/libs/jquery/2.0.2/jquery.min.js"></script> <script src="js/bootstrap.min.js"></script> </body> </html> <?php Exit(); ?>Cheers
-
How do you expect to login a particular user without a WHERE condition? Of course you are going to keep getting the same user.
Hi.
Thanks for the reply.
I have tried even putting
WHERE id = $_SESSION['id'];
And that also makes the html vanish.
Also note, login is working fine. The OP shows the code from the start of index.php after login.
-
Hi folks,
This issue has me baffled with days.
I have a query string which works fine. The idea is to display the name of the logged in user, with SESSION. However, if I use the query string without LIMIT 1 on the end, the header area vanishes. If I put it back in, it appears again.
Also, I have 2 users registered for testing. But no matter what account I login with, it still shows the same name.
Here is the area of code that is playing up, including the HTML area where the name of the logged in user is displayed.
include 'templates/header.php'; $result = mysqli_query($mysqli, "SELECT * FROM admin_users LIMIT 1"); if ($row = mysqli_fetch_array($result)) { include 'templates/navbar.php'; $_SESSION['fname'] = $row['fname']; ?> <div class="dcm-content-wrapper"> <div class="dcm-content"> <h1><i class="fa fa-home"></i> Dashboard</h1> <p>Hello <?php echo $_SESSION['fname']; ?> You are logged in as Admin!</p> <?php } ?>Please note that SESSION_START() is in the header.php file.
Any help is greatly appreciated.
Dynamically Creating Page - Placeholders Not Working
in PHP Coding Help
Posted
Hi all,
Hope to find you all good.
I have the following, which creates a php file. This works fine and without error. However, once created, the content of the page, which is got from the Database, is not showing.
My guess is the placeholder section is not working.
Here is template.php
Please note that this is just a project and will not be going live. It's for learning purposes and I am aware there are some vulnerabilities within parts of the code. Any assistance with the above issues though would really be appreciated.
Thanks and have a ripper evening.