AMERLOC Posted August 2, 2009 Share Posted August 2, 2009 Hi all, I am currently learning PHP5/mysql and I am attempting to creat a simple Search form. I have put the code I have been writing below. It actually works and does what I want but I am sure there are alot of things I am missing and would be interested if someone could have a look at it. Basically it is going to be used to search my properties database by coountry, destination etc.. and only used for referencing. I couldn't seem to get any pagination script I found on the net to work so I created this to get the job done ^^. Well I am learning. Look forward to joining you community . <?php //This is the Start of limiting my search output and assiging a Value to a variable that is stored to enable my form buttons for next ten results^^ //my adding function function add($x,$y) { $total=$x+$y; return $total; } $dts=$_POST['count']; $number = 10; if ($dts == '') { $a = 0; } else { /*$a = add($_POST['lit'], 10);*/ $a = $number; echo "variable a". $a; } if ($a <= 10) { $b = 0; $c=$b; } if ($a >= 10){ //here I found how to set the variable to 0 using the .add(x,x); function $c = add($_POST['lit'], 0); } echo $a; echo "<br/>"; echo $b; echo "<br/>"; echo "c=".$c; echo "<br/>"; $max_results = 10; $mr = $c; //here I store the count in $store $store[10] = $mr + 10; echo "minimum total" . $mr; echo "<br>"; echo "Total Stored" . $store[10]; echo "<br>"; echo "Country Variable" . $dts; ?> <table border="0"> <tr> <td><form method="POST" action=""> <input name="lit" id="lit" type="hidden" value=<? echo $store; ?> /> <input name="count" id="count" type="hidden" value=<? echo $dts; ?> /> <input type="submit" value="<"> </form></td> <td><form method="POST" action=""> <input name="lit" id="lit" type="hidden" value=<? echo $store[10]; ?> /> <input name="count" id="count" type="hidden" value=<? echo $dts; ?> /> <input type="submit" value=">"> </form></td> </tr> </table> <?php if(is_resource($link)) { /*** select the database we wish to use ***/ if(mysql_select_db($dbname, $link) === TRUE) { /*** sql to SELECT information***/ $sql1 = "SELECT * FROM {table} WHERE Country='$dts' "; /*** run the query ***/ $result2 = mysql_query($sql1); //Count the number of Rows $num_rows = mysql_num_rows($result2); print "There are $num_rows records.<br>"; }} ?> <table border="1" width="50%"><tr><td>Hotel</td><td>Lowest Rate</td><td>Highest Rate</td><td>City</td></tr> <?php if(is_resource($link)) { /*** select the database we wish to use ***/ if(mysql_select_db($dbname, $link) === TRUE) { /*** sql to SELECT information***/ $sql = "SELECT * FROM {table} WHERE Country='$dts' LIMIT $mr,$max_results"; /*** run the query ***/ $result = mysql_query($sql); /*** check if the result is a valid resource ***/ if(is_resource($result)) { /*** check if we have more than zero rows ***/ if(mysql_num_rows($result) !== 0) { while($row=mysql_fetch_array($result)) { echo '<tr> <td>'.$row['Name'].'</td> <td>'.$row['PropertyDescription'].'</td> <td>'.$row['City'].'</td> <td>'.$row['LowRate'].'</td> <td>'.$row['HighRate'].'</td> </tr>'; } } else { /*** if zero results are found.. ***/ echo 'Zero results found'; } } else { /*** if the resource is not valid ***/ echo 'No valid resource found'; } } /*** if we are unable to select the database show an error ***/ else { echo 'Unable to select database'; } /*** close the connection ***/ mysql_close($link); } else { /*** if we fail to connect ***/ echo 'Unable to connect'; } ?> Quote Link to comment Share on other sites More sharing options...
phpSensei Posted August 2, 2009 Share Posted August 2, 2009 You can generate much faster queries by doing SELECT column1,column2,column2 FROM table WHERE..etc than SELECT * FROM table WHERE Quote Link to comment Share on other sites More sharing options...
phpSensei Posted August 2, 2009 Share Posted August 2, 2009 <?php if(is_resource($link)) ??? $result = mysql_query($sql); your queries must end with $result = mysql_query($sql); or die(mysql_error()); for debugging Quote Link to comment Share on other sites More sharing options...
trq Posted August 2, 2009 Share Posted August 2, 2009 <?php if(is_resource($link)) ??? $result = mysql_query($sql); your queries must end with $result = mysql_query($sql); or die(mysql_error()); for debugging The use of 'or die' even for debugging is a terrible habit to get into. Trigger an error instead, at least this way you can simply turn your error reporting off in production. Quote Link to comment Share on other sites More sharing options...
phpSensei Posted August 2, 2009 Share Posted August 2, 2009 <?php if(is_resource($link)) ??? $result = mysql_query($sql); your queries must end with $result = mysql_query($sql); or die(mysql_error()); for debugging The use of 'or die' even for debugging is a terrible habit to get into. Trigger an error instead, at least this way you can simply turn your error reporting off in production. Why? It works, and isnt mysql errors something you never want to turn off? Your entire page would be blank anyways Quote Link to comment Share on other sites More sharing options...
trq Posted August 2, 2009 Share Posted August 2, 2009 Why? It works, and isnt mysql errors something you never want to turn off? Your entire page would be blank anyways mysql errors are the worst kind of errors you would ever want displayed on your site for obvious security reasons. Quote Link to comment Share on other sites More sharing options...
phpSensei Posted August 2, 2009 Share Posted August 2, 2009 Why? It works, and isnt mysql errors something you never want to turn off? Your entire page would be blank anyways mysql errors are the worst kind of errors you would ever want displayed on your site for obvious security reasons. Very true I always make sure to run it on my WAMPSERVER first before uploading it Quote Link to comment Share on other sites More sharing options...
trq Posted August 2, 2009 Share Posted August 2, 2009 Why? It works, and isnt mysql errors something you never want to turn off? Your entire page would be blank anyways mysql errors are the worst kind of errors you would ever want displayed on your site for obvious security reasons. Very true I always make sure to run it on my WAMPSERVER first before uploading it I don't see what that has to do with anything. On production servers errors should be logged not displayed. This can't be done if your script simply dies displaying an mysql error. Quote Link to comment Share on other sites More sharing options...
phpSensei Posted August 2, 2009 Share Posted August 2, 2009 Why? It works, and isnt mysql errors something you never want to turn off? Your entire page would be blank anyways mysql errors are the worst kind of errors you would ever want displayed on your site for obvious security reasons. Very true I always make sure to run it on my WAMPSERVER first before uploading it I don't see what that has to do with anything. On production servers errors should be logged not displayed. This can't be done if your script simply dies displaying an mysql error. I wasnt talking about live sites, you are correct that errors are logged on production servers. I was simply stating that solid errors that have to do with scripting, not errors caused by inputted data. If theres an error in your mysql and if your site is very secure, theres no harm in the public seeing it. Quote Link to comment Share on other sites More sharing options...
trq Posted August 2, 2009 Share Posted August 2, 2009 If theres an error in your mysql and if your site is very secure, theres no harm in the public seeing it. Why would you want the public to see mysql errors that may give hints as to your schema's design? You don't, end of story. Quote Link to comment Share on other sites More sharing options...
phpSensei Posted August 2, 2009 Share Posted August 2, 2009 If theres an error in your mysql and if your site is very secure, theres no harm in the public seeing it. Why would you want the public to see mysql errors that may give hints as to your schema's design? You don't, end of story. lol how can you be that insecure of your coding? If I knew the name of your database tables, how would that be a security risk unless you could actually write a script to change my database? Or through HTTP VARS? All im sayin is that if your site is SECURE, theres no gateway for the user to come in and use the names of the database tables to his/her own advantage.. Quote Link to comment Share on other sites More sharing options...
trq Posted August 3, 2009 Share Posted August 3, 2009 If your that confident, go ahead broadcast your schema. I'll keep mine to myself thanks. Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted August 3, 2009 Share Posted August 3, 2009 While I agree with phpSensei in theory, in practice the less people know about the internals of your site the better. I see no reason to use code such as this: mysql_query( "select ..." ) or die( mysql_error() ); One of the first things I do on any new project is: error_reporting( 0xffffffff ); set_error_handler( 'my_custom_error_handler' ); function my_custom_error_handler( /* whatever the arguments are */ ) { // append the error to a file } It doesn't look exactly like that but since you're going to be setting up error logging anyways for production you might as well use it all the way through. Then my code would look more like: $q = mysql_query( $sql ); if( !$q ) { trigger_error( $sql . ' caused error ' . mysql_error() ); } Now I only have to refer to my error.log to see what went wrong and I don't have to worry about giving away more info than I intend to visitors. Quote Link to comment Share on other sites More sharing options...
JonathanV Posted August 3, 2009 Share Posted August 3, 2009 I'll have to put a vote up for thorpe here. I really do think it's a good habit to always use a simple error trigger for both security reasons and the simple idea that users rather see nothing instead of a big fat error. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.