First PHP Progrm Need help/advice

[AMERLOC]

Hi all,

 

I am currently learning PHP5/mysql and I am attempting to creat a simple Search form. I have put the code I have been writing below. It actually works and does what I want but I am sure there are alot of things I am missing and would be interested if someone could have a look at it.

 

Basically it is going to be used to search my properties database by coountry, destination etc.. and only used for referencing. I couldn't seem to get any pagination script I found on the net to work so I created this to get the job done ^^. Well I am learning.

 

Look forward to joining you community .

 

_<?php

_{//This is the Start of limiting my search output and assiging a Value to a variable that is stored to enable my form buttons for next ten results^^}

_{//my adding function}

_{function add($x,$y)}

_{

_{$total=$x+$y;}

_{return $total;}

_}

_{$dts=$_POST['count'];}

_{$number = 10;}

_{if ($dts == '')}

_{

_{$a = 0;}

_}

_{else {}

_{/*$a = add($_POST['lit'], 10);*/}

_{$a = $number;}

_{echo "variable a". $a;}

_}

_{if ($a <= 10) {}

_{$b = 0;}

_$c=$b;

_}

_{if ($a >= 10){}

_{//here I found how to set the variable to 0 using the .add(x,x); function}

_{$c = add($_POST['lit'], 0);}

_}

 

_{echo $a;}

_{echo "<br/>";}

_{echo $b;}

_{echo "<br/>";}

_{echo "c=".$c;}

_{echo "<br/>";}

 

_{$max_results = 10;}

_{$mr = $c;}

_{//here I store the count in $store}

_{$store[10] = $mr + 10;}

_{echo "minimum total" . $mr;}

_{echo "<br>";}

_{echo "Total Stored" . $store[10];}

_{echo "<br>";}

_{echo "Country Variable" . $dts;}

_?>

_{<table border="0">}

  _<tr>

    _{<td><form method="POST" action="">}

_{<input name="lit" id="lit" type="hidden" value=<? echo $store; ?> />}

_{<input name="count" id="count" type="hidden" value=<? echo $dts; ?> />}

_{<input type="submit" value="<">}

_</form></td>

    _{<td><form method="POST" action="">}

_{<input name="lit" id="lit" type="hidden" value=<? echo $store[10]; ?> />}

_{<input name="count" id="count" type="hidden" value=<? echo $dts; ?> />}

_{<input type="submit" value=">">}

_</form></td>

  _</tr>

_</table>

 

 

 

_<?php

_{if(is_resource($link))}

    _{

    _{/*** select the database we wish to use ***/}

    _{if(mysql_select_db($dbname, $link) === TRUE)}

        _{

        _{/*** sql to SELECT information***/}

        _{$sql1 = "SELECT * FROM {table} WHERE Country='$dts' ";}

 

        _{/*** run the query ***/}

        _{$result2 = mysql_query($sql1);}

_{//Count the number of Rows}

_{$num_rows = mysql_num_rows($result2);}

_{print "There are $num_rows records.<br>";}

_}}

_?>

_{<table border="1" width="50%"><tr><td>Hotel</td><td>Lowest Rate</td><td>Highest Rate</td><td>City</td></tr>}

_<?php

 

_{if(is_resource($link))}

    _{

    _{/*** select the database we wish to use ***/}

    _{if(mysql_select_db($dbname, $link) === TRUE)}

        _{

        _{/*** sql to SELECT information***/}

        _{$sql = "SELECT * FROM {table} WHERE Country='$dts' LIMIT $mr,$max_results";}

 

        _{/*** run the query ***/}

        _{$result = mysql_query($sql);}

 

        _{/*** check if the result is a valid resource ***/}

        _{if(is_resource($result))}

            _{

            _{/*** check if we have more than zero rows ***/}

            _{if(mysql_num_rows($result) !== 0)}

                _{

                _{while($row=mysql_fetch_array($result))}

                    _{

                    _{echo '<tr>}

                    _{<td>'.$row['Name'].'</td>}

_{<td>'.$row['PropertyDescription'].'</td>}

_{<td>'.$row['City'].'</td>}

                    _{<td>'.$row['LowRate'].'</td>}

                    _{<td>'.$row['HighRate'].'</td>}

                    _</tr>';

                    _}

                _}

            _else

                _{

                _{/*** if zero results are found.. ***/}

                _{echo 'Zero results found';}

                _}

            _}

        _else

            _{

            _{/*** if the resource is not valid ***/}

 

            _{echo 'No valid resource found';}

            _}

        _}

    _{/*** if we are unable to select the database show an error ***/}

    _else

        _{

        _{echo 'Unable to select database';}

        _}

    _{/*** close the connection ***/}

    _{mysql_close($link);}

    _}

_else

    _{

    _{/*** if we fail to connect ***/}

    _{echo 'Unable to connect';}

    _}

_?>

[phpSensei]

You can generate much faster queries by doing

 

SELECT column1,column2,column2 FROM table WHERE..etc

 

than

 

SELECT * FROM table WHERE

[phpSensei]

<?php
if(is_resource($link))

 

 

???

 

 

    $result = mysql_query($sql);

 

your queries must end with

 

    $result = mysql_query($sql); or die(mysql_error());

 

for debugging

[trq]

<?php
if(is_resource($link))

 

 

???

 

 

    $result = mysql_query($sql);

 

your queries must end with

 

    $result = mysql_query($sql); or die(mysql_error());

 

for debugging

 

The use of 'or die' even for debugging is a terrible habit to get into. Trigger an error instead, at least this way you can simply turn your error reporting off in production.

[phpSensei]

<?php
if(is_resource($link))

 

 

???

 

 

    $result = mysql_query($sql);

 

your queries must end with

 

    $result = mysql_query($sql); or die(mysql_error());

 

for debugging

 

The use of 'or die' even for debugging is a terrible habit to get into. Trigger an error instead, at least this way you can simply turn your error reporting off in production.

 

Why? It works, and isnt mysql errors something you never want to turn off? Your entire page would be blank anyways

[trq]

Why? It works, and isnt mysql errors something you never want to turn off? Your entire page would be blank anyways

 

mysql errors are the worst kind of errors you would ever want displayed on your site for obvious security reasons.

[phpSensei]

Why? It works, and isnt mysql errors something you never want to turn off? Your entire page would be blank anyways

 

mysql errors are the worst kind of errors you would ever want displayed on your site for obvious security reasons.

 

Very true I always make sure to run it on my WAMPSERVER first before uploading it

[trq]

Why? It works, and isnt mysql errors something you never want to turn off? Your entire page would be blank anyways

 

mysql errors are the worst kind of errors you would ever want displayed on your site for obvious security reasons.

 

Very true I always make sure to run it on my WAMPSERVER first before uploading it

 

I don't see what that has to do with anything. On production servers errors should be logged not displayed. This can't be done if your script simply dies displaying an mysql error.

[phpSensei]

Why? It works, and isnt mysql errors something you never want to turn off? Your entire page would be blank anyways

 

mysql errors are the worst kind of errors you would ever want displayed on your site for obvious security reasons.

 

Very true I always make sure to run it on my WAMPSERVER first before uploading it

 

I don't see what that has to do with anything. On production servers errors should be logged not displayed. This can't be done if your script simply dies displaying an mysql error.

 

I wasnt talking about live sites, you are correct that errors are logged on production servers. I was simply stating that solid errors that have to do with scripting, not errors caused by inputted data. If theres an error in your mysql and if your site is very secure, theres no harm in the public seeing it.

[trq]

If theres an error in your mysql and if your site is very secure, theres no harm in the public seeing it.

 

Why would you want the public to see mysql errors that may give hints as to your schema's design? You don't, end of story.

[phpSensei]

If theres an error in your mysql and if your site is very secure, theres no harm in the public seeing it.

 

Why would you want the public to see mysql errors that may give hints as to your schema's design? You don't, end of story.

 

lol how can you be that insecure of your coding? If I knew the name of your database tables, how would that be a security risk unless you could actually write a script to change my database? Or through HTTP VARS? All im sayin is that if your site is SECURE, theres no gateway for the user to come in and use the names of the database tables to his/her own advantage..

[trq]

If your that confident, go ahead broadcast your schema. I'll keep mine to myself thanks.

[roopurt18]

While I agree with phpSensei in theory, in practice the less people know about the internals of your site the better.

 

I see no reason to use code such as this:

mysql_query( "select ..." ) or die( mysql_error() );

 

One of the first things I do on any new project is:

error_reporting( 0xffffffff );
set_error_handler( 'my_custom_error_handler' );

function my_custom_error_handler( /* whatever the arguments are */ ) {
  // append the error to a file
}

 

It doesn't look exactly like that but since you're going to be setting up error logging anyways for production you might as well use it all the way through.  Then my code would look more like:

$q = mysql_query( $sql );
if( !$q ) {
  trigger_error( $sql . ' caused error ' . mysql_error() );
}

 

Now I only have to refer to my error.log to see what went wrong and I don't have to worry about giving away more info than I intend to visitors.

[JonathanV]

I'll have to put a vote up for thorpe here. I really do think it's a good habit to always use a simple error trigger for both security reasons and the simple idea that users rather see nothing instead of a big fat error.