only show if value is chosen from drop down

[kvnirvana]

I only want this displayed if a value which is not all is chosen from the third dropdown $c

echo "<TD width=30% height=100>". rating_bar($rows['id'],'6','static')."<a href='jadak.php?id={$rows['id']}&na={$rows['na']}&c={$rows['c']}&a={$rows['a']}'>Rate </a> </TD>";

How can that be done?

 

 

 

echo "<form name='search' action=".$_SERVER['PHP_SELF']." method='post'> 
        <table width='50%' align='center' valign='center'> 
        
	<tr> 
          <td colspan='2' align='center'>Search</td> 
        </tr> 
        <tr> 
          <td align='right'>a:</td><td>$a</td> 
        </tr> 
        <tr> 
          <td align='right'>b:</td><td>$b</td> 
        </tr> 
        <tr> 
          <td align='right'>c:</td><td>$c</td> 
        </tr> 
  
         
          <td colspan='2' align='center'> </td> 
        </tr> 
        <tr> 
          <td colspan='2' align='center'><input type='submit' name='submit' value='Go!'></td> 
        </tr> 

        </table> 
        </form>"; 

}//end function 


/*------------------------------------------------------------------------ 
            run the search and show the results 
------------------------------------------------------------------------*/
function search() 
{ 

//base sql 
  mysql_connect("localhost", "***", "****") or die(mysql_error());
mysql_select_db("****") or die(mysql_error());

$sql = "select  * from behandlere WHERE 1=1"; 
//get the values from the form //NOTE: You should do way more valdation on the values before you attempt to process anything   
if ((!empty($_POST['a']))&&($_POST['a'] != 'all'))  
  {     $sql .= " and a like '". mysql_real_escape_string($_POST['a'])."%' ";   }     
  if ((!empty($_POST['b']))&&($_POST['b'] != 'all'))  
   {     $sql .= " and b like '". mysql_real_escape_string($_POST['b'])."%' ";   }    
    if ((!empty($_POST['c']))&&($_POST['c'] != 'all'))  
 {     $sql .= " and c = '". mysql_real_escape_string($_POST['c'])."' ";   } 

  // ADD ORDER BY  
  $sql .= ' order by total_value DESC ';
  





  echo "</TR>";
   echo     "<TR>";
    echo "<TH scope='col' abbr='a'><u>a</u></TH>";
    echo "<TH scope='col' abbr='rating'><u>Rating</u></TH>";
    echo "<TH scope='col'><u>comments</u></TH>";
  
  echo "</TR>";
   echo "<TR>";
    echo "<TD width=20% height=100 scope='row'>". $rows['a'] ."<p> ". $rows['na'] ."<p> ". $rows['ad'] ."<p> ". $rows['postnr'] .", ". $rows['by'] ."<p> ". $rows['tl'] ."</TD>";
    
echo "<TD width=30% height=100>". rating_bar($rows['id'],'6','static')."<a href='jadak.php?id={$rows['id']}&na={$rows['na']}&c={$rows['c']}&a={$rows['a']}'>Rate </a> </TD>";
    
echo "<TD width=30% height=100><a href='komment.php?na={$rows['na']}&id={$rows['id']}&a={$rows['a']}'>Read comments</a> </TD>";
echo "<TABLE  width=100% height=100 border='0' cellpadding='5' cellspacing='10'><hr>";
  echo "</TR>"; 
    }  
     echo "</table>";  }

[Psycho]

Well, what are the "valid" values of the $c select list, what is the value of the All option, and what is the name of that select list?

 

You should always validate user input. Even though you are using a select list, a malicious user CAN post values not in the select list. So you should always validate against the "approved" values. Also, to make it easier I would give the all option an empty value.

[kvnirvana]

The valid values of the $c select list is values generated from mysql exept the value 'all', and the value of the All option is 'all'. The name of the select list is 'search' I guess?

 

how do I validate against the "approved" values?

[Psycho]

You would validate the selected value by doing a database query on the processing page. Something like:

SELECT name FROM table WHERE name = '$search_value'

 

Anyway, once you validate that the selected value exists in the database (or is all) you could use the following to decide whether or not to display the line above

if($_POST['search'] != 'all')
{
    echo "<td width=\"30%\" height=\"100\">";
    echo rating_bar($rows['id'],'6','static');
    echo "<a href=\"jadak.php?id={$rows['id']}&na={$rows['na']}&c={$rows['c']}&a={$rows['a']}\">Rate</a>";
    echo "</td>";
}

[kvnirvana]

I'm not sure where in the code to validate the selected value, isn't that what i'm doing this part of the code?

//base sql   mysql_connect("localhost", "***", "****") or die(mysql_error());mysql_select_db("****") or die(mysql_error());$sql = "select  * from behandlere WHERE 1=1"; 

[kvnirvana]

Anybody?

[Psycho]

I'm not sure where in the code to validate the selected value, isn't that what i'm doing this part of the code?

//base sql
mysql_connect("localhost", "***", "****") or die(mysql_error());
mysql_select_db("****") or die(mysql_error());
$sql = "select  * from behandlere WHERE 1=1"; 

 

Huh? That code doesn't do anything. It does a database query for all the fields in the table 'behandlere' and uses a WHERE clause that serves no purpose.

 

I already provided a solution for your original query, is that solved?

 

As for the validation, I'm not sure what you are alluding to above, but let me spell it out for you. I "assume" the values for the select list are from the database in the table 'behandlere'. So, the form should do a query to get the values - and only the values. Example:

$query = "SELECT name FROM 'behandlere' ORDER BY name";

 

Then use the results of that query to build the select list options. Then on the processing page you will want to validate that the submitted value is from that list. Otherwise a malicious user can submit values you did not intend. So, you would do a query on the processing page to ensure the posted value is in the database. Rough example:

$search = mysql_real_escape_string($_POST['search']);
$query = "SELECT name FROM 'behandlere' WHERE name='$search'";
$result = mysql_query($query);
if(mysql_num_rows($result)!=1)
{
    echo "Invalid search value";
}