Jump to content

Recommended Posts

I only want this displayed if a value which is not all is chosen from the third dropdown $c

echo "<TD width=30% height=100>". rating_bar($rows['id'],'6','static')."<a href='jadak.php?id={$rows['id']}&na={$rows['na']}&c={$rows['c']}&a={$rows['a']}'>Rate </a> </TD>";

How can that be done?

 

 

 

echo "<form name='search' action=".$_SERVER['PHP_SELF']." method='post'> 
        <table width='50%' align='center' valign='center'> 
        
	<tr> 
          <td colspan='2' align='center'>Search</td> 
        </tr> 
        <tr> 
          <td align='right'>a:</td><td>$a</td> 
        </tr> 
        <tr> 
          <td align='right'>b:</td><td>$b</td> 
        </tr> 
        <tr> 
          <td align='right'>c:</td><td>$c</td> 
        </tr> 
  
         
          <td colspan='2' align='center'> </td> 
        </tr> 
        <tr> 
          <td colspan='2' align='center'><input type='submit' name='submit' value='Go!'></td> 
        </tr> 

        </table> 
        </form>"; 

}//end function 


/*------------------------------------------------------------------------ 
            run the search and show the results 
------------------------------------------------------------------------*/
function search() 
{ 

//base sql 
  mysql_connect("localhost", "***", "****") or die(mysql_error());
mysql_select_db("****") or die(mysql_error());

$sql = "select  * from behandlere WHERE 1=1"; 
//get the values from the form //NOTE: You should do way more valdation on the values before you attempt to process anything   
if ((!empty($_POST['a']))&&($_POST['a'] != 'all'))  
  {     $sql .= " and a like '". mysql_real_escape_string($_POST['a'])."%' ";   }     
  if ((!empty($_POST['b']))&&($_POST['b'] != 'all'))  
   {     $sql .= " and b like '". mysql_real_escape_string($_POST['b'])."%' ";   }    
    if ((!empty($_POST['c']))&&($_POST['c'] != 'all'))  
 {     $sql .= " and c = '". mysql_real_escape_string($_POST['c'])."' ";   } 

  // ADD ORDER BY  
  $sql .= ' order by total_value DESC ';
  





  echo "</TR>";
   echo     "<TR>";
    echo "<TH scope='col' abbr='a'><u>a</u></TH>";
    echo "<TH scope='col' abbr='rating'><u>Rating</u></TH>";
    echo "<TH scope='col'><u>comments</u></TH>";
  
  echo "</TR>";
   echo "<TR>";
    echo "<TD width=20% height=100 scope='row'>". $rows['a'] ."<p> ". $rows['na'] ."<p> ". $rows['ad'] ."<p> ". $rows['postnr'] .", ". $rows['by'] ."<p> ". $rows['tl'] ."</TD>";
    
echo "<TD width=30% height=100>". rating_bar($rows['id'],'6','static')."<a href='jadak.php?id={$rows['id']}&na={$rows['na']}&c={$rows['c']}&a={$rows['a']}'>Rate </a> </TD>";
    
echo "<TD width=30% height=100><a href='komment.php?na={$rows['na']}&id={$rows['id']}&a={$rows['a']}'>Read comments</a> </TD>";
echo "<TABLE  width=100% height=100 border='0' cellpadding='5' cellspacing='10'><hr>";
  echo "</TR>"; 
    }  
     echo "</table>";  }

Well, what are the "valid" values of the $c select list, what is the value of the All option, and what is the name of that select list?

 

You should always validate user input. Even though you are using a select list, a malicious user CAN post values not in the select list. So you should always validate against the "approved" values. Also, to make it easier I would give the all option an empty value.

You would validate the selected value by doing a database query on the processing page. Something like:

SELECT name FROM table WHERE name = '$search_value'

 

Anyway, once you validate that the selected value exists in the database (or is all) you could use the following to decide whether or not to display the line above

if($_POST['search'] != 'all')
{
    echo "<td width=\"30%\" height=\"100\">";
    echo rating_bar($rows['id'],'6','static');
    echo "<a href=\"jadak.php?id={$rows['id']}&na={$rows['na']}&c={$rows['c']}&a={$rows['a']}\">Rate</a>";
    echo "</td>";
}

I'm not sure where in the code to validate the selected value, isn't that what i'm doing this part of the code?

//base sql   mysql_connect("localhost", "***", "****") or die(mysql_error());mysql_select_db("****") or die(mysql_error());$sql = "select  * from behandlere WHERE 1=1"; 

I'm not sure where in the code to validate the selected value, isn't that what i'm doing this part of the code?

//base sql
mysql_connect("localhost", "***", "****") or die(mysql_error());
mysql_select_db("****") or die(mysql_error());
$sql = "select  * from behandlere WHERE 1=1"; 

 

Huh? That code doesn't do anything. It does a database query for all the fields in the table 'behandlere' and uses a WHERE clause that serves no purpose.

 

I already provided a solution for your original query, is that solved?

 

As for the validation, I'm not sure what you are alluding to above, but let me spell it out for you. I "assume" the values for the select list are from the database in the table 'behandlere'. So, the form should do a query to get the values - and only the values. Example:

$query = "SELECT name FROM 'behandlere' ORDER BY name";

 

Then use the results of that query to build the select list options. Then on the processing page you will want to validate that the submitted value is from that list. Otherwise a malicious user can submit values you did not intend. So, you would do a query on the processing page to ensure the posted value is in the database. Rough example:

$search = mysql_real_escape_string($_POST['search']);
$query = "SELECT name FROM 'behandlere' WHERE name='$search'";
$result = mysql_query($query);
if(mysql_num_rows($result)!=1)
{
    echo "Invalid search value";
}

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.