Jump to content

Help with removing ' ' from displaying!!


concrete

Recommended Posts

Hi all,

 

I am new to PHP and MySQL and I am expierencing an issue which i need help with. I am creating a pupil record system for an assignment in Uni. we have been given some sample code and we have to build onto this and finish the system.

 

I have created an add a student page and when the student is added I want to move to the next page and then display the record that has been added (see image below)

 

help.png

 

Also see code below

 

 <?php
print "<H2>Thank you, <i>";
print $_POST['firstname'];
print " ";
print $_POST[ 'surname'];
print "</i> has been sucessfully added to the system.</H2>";
print "<a href=\"add_student.php\"><h4>Add Another Student</h4></a>";

function doquery($query) {

$db = "prs";
$link = mysql_connect("localhost","..........","........")
    		or die("Could not connect to server! Error: ".mysql_error());
  		
		mysql_select_db($db,$link)
    		or die("Could not select $db! Error: ".mysql_error());
  	$result = mysql_query($query,$link)
    		or $result = "Query Error!<p>Query: $query<p>Error: ".mysql_error();
  			mysql_close($link);
  return($result);
}
  
  $firstname="'".$_POST['firstname']."'";
  $surname="'".$_POST['surname']."'";
  $address1="'".$_POST['address1']."'";
  $address2="'".$_POST['address2']."'";
  $town="'".$_POST['town']."'";
  $county="'".$_POST['county']."'";
  $postcode="'".$_POST['postcode']."'";
  $phone="'".$_POST['phone']."'";
  $email="'".$_POST['email']."'";
  $class_set="'".$_POST['class_set']."'";
  $query = "SELECT MAX(upn) + 1 as upn FROM students";
  $result = doquery($query); 
  $row = mysql_fetch_array($result);
  
  $upn = $row['upn'];
  	   
  $query = "INSERT INTO students (upn, firstname, surname, address1, address2, town, county, postcode, phone, email, class_set) VALUES ($upn, $firstname, $surname, $address1, $address2, $town, $county, $postcode, $phone, $email, $class_set)";
  doquery($query);
  
     echo 
   	"<table width=\"350px\" border=\"1\" cellspacing=\"0\" cellpadding=\"5\" bordercolor=\"#de5f57\" align=\"center\">
  <tr>
    <td colspan=\"2\"><h3>Recorded Added</h3></td>
    </tr>
  <tr>
    <td width=\"150px\" class=\"form_labels\">Student Number</td>
    <td width=\"300px\" class=\"table_data\">".$upn."</td>
  </tr>
  <tr>
    <td class=\"form_labels\">First Name</td>
    <td class=\"table_data\">".$firstname."</td>
  </tr>
  <tr>
    <td class=\"form_labels\">Surname</td>
    <td class=\"table_data\">".$surname."</td>
  </tr>
  <tr>
    <td class=\"form_labels\">Address 1</td>
    <td class=\"table_data\">".$address1."</td>
  </tr>
  <tr>
    <td class=\"form_labels\">Address 2</td>
    <td class=\"table_data\">".$address2."</td>
  </tr>
  <tr>
    <td class=\"form_labels\">Town</td>
    <td class=\"table_data\">".$town."</td>
  </tr>
  <tr>
    <td class=\"form_labels\">County</td>
    <td class=\"table_data\">".$county."</td>
  </tr>
  <tr>
    <td class=\"form_labels\">Postcode</td>
    <td class=\"table_data\">".$postcode."</td>
  </tr>
  <tr>
    <td class=\"form_labels\">Phone Number</td>
    <td class=\"table_data\">".$phone."</td>
  </tr>
  <tr>
    <td class=\"form_labels\">Email</td>
    <td class=\"table_data\">".$email."</td>
  </tr>
  <tr>
    <td class=\"form_labels\">Class</td>
    <td class=\"table_data\">".$class_set."</td>
  </tr>
</table>";
  
?>

Link to comment
Share on other sites

They are displayed because your variables contains them.

 

$firstname="'".$_POST['firstname']."'";
$surname="'".$_POST['surname']."'";
$address1="'".$_POST['address1']."'";

 

Either you could create your variables without quotations and add them in the query string, or you could fetch your newly added record from your database and echo it. The last could also confirm that the correct values were added, because what you echo isn't what you actually added, but what you tried to add.

Link to comment
Share on other sites

Just don't apply the quotes like that.  Aplly the quotes directly in the query string, that way you can echo out the variables and not have to worry about stripping the quotes off to do it.

 <?php
print "<H2>Thank you, <i>";
print $_POST['firstname'];
print " ";
print $_POST[ 'surname'];
print "</i> has been sucessfully added to the system.</H2>";
print "<a href=\"add_student.php\"><h4>Add Another Student</h4></a>";

function doquery($query) {

$db = "prs";
$link = mysql_connect("localhost","..........","........")
    		or die("Could not connect to server! Error: ".mysql_error());
  		
		mysql_select_db($db,$link)
    		or die("Could not select $db! Error: ".mysql_error());
  	$result = mysql_query($query,$link)
    		or $result = "Query Error!<p>Query: $query<p>Error: ".mysql_error();
  			mysql_close($link);
  return($result);
}
  
  $firstname= $_POST['firstname'];
  $surname= $_POST['surname'];
  $address1= $_POST['address1'];
  $address2= $_POST['address2'];
  $town= $_POST['town'];
  $county= $_POST['county'];
  $postcode= $_POST['postcode'];
  $phone= $_POST['phone'];
  $email= $_POST['email'];
  $class_set= $_POST['class_set'];
  $query = "SELECT MAX(upn) + 1 as upn FROM students";
  $result = doquery($query); 
  $row = mysql_fetch_array($result);
  
  $upn = $row['upn'];
  	   
  $query = "INSERT INTO students (upn, firstname, surname, address1, address2, town, county, postcode, phone, email, class_set) VALUES ($upn, '$firstname', '$surname', '$address1', '$address2', '$town', '$county', '$postcode', '$phone', '$email', '$class_set')";
  doquery($query);
  
     echo 
   	"<table width=\"350px\" border=\"1\" cellspacing=\"0\" cellpadding=\"5\" bordercolor=\"#de5f57\" align=\"center\">
  <tr>
    <td colspan=\"2\"><h3>Recorded Added</h3></td>
    </tr>
  <tr>
    <td width=\"150px\" class=\"form_labels\">Student Number</td>
    <td width=\"300px\" class=\"table_data\">".$upn."</td>
  </tr>
  <tr>
    <td class=\"form_labels\">First Name</td>
    <td class=\"table_data\">".$firstname."</td>
  </tr>
  <tr>
    <td class=\"form_labels\">Surname</td>
    <td class=\"table_data\">".$surname."</td>
  </tr>
  <tr>
    <td class=\"form_labels\">Address 1</td>
    <td class=\"table_data\">".$address1."</td>
  </tr>
  <tr>
    <td class=\"form_labels\">Address 2</td>
    <td class=\"table_data\">".$address2."</td>
  </tr>
  <tr>
    <td class=\"form_labels\">Town</td>
    <td class=\"table_data\">".$town."</td>
  </tr>
  <tr>
    <td class=\"form_labels\">County</td>
    <td class=\"table_data\">".$county."</td>
  </tr>
  <tr>
    <td class=\"form_labels\">Postcode</td>
    <td class=\"table_data\">".$postcode."</td>
  </tr>
  <tr>
    <td class=\"form_labels\">Phone Number</td>
    <td class=\"table_data\">".$phone."</td>
  </tr>
  <tr>
    <td class=\"form_labels\">Email</td>
    <td class=\"table_data\">".$email."</td>
  </tr>
  <tr>
    <td class=\"form_labels\">Class</td>
    <td class=\"table_data\">".$class_set."</td>
  </tr>
</table>";
  
?>

 

You should also make sure that you run some sanatisation on your field values to protect the inforation in your database from attack

Link to comment
Share on other sites

change your doquery function to use an or die(mysql_error()) on the query aswell. I don't think that your current code is going to capture the error properly, and as you are already using or die() for the connection and database, and as you are returning the mysql_error to the screen regardless, it's not much odds.

 

change that over and let us know what comes back, also, could you clear up exactly what the issue is? ;)

Link to comment
Share on other sites

<?php
if ( !empty($_POST) )
{
   print "<H2>Thank you, <i>";
   print $_POST['firstname'];
   print " ";
   print $_POST[ 'surname'];
   print "</i> has been sucessfully added to the system.</H2>";
   print "<a href=\"add_student.php\"><h4>Add Another Student</h4></a>";
}

function doquery($query) {
   $db = "prs";
   $link = mysql_connect("localhost","..........","........")
          or die("Could not connect to server! Error: ".mysql_error());
        
         mysql_select_db($db,$link)
          or die("Could not select $db! Error: ".mysql_error());
     $result = mysql_query($query,$link)
          or die("Query Error!<p>Query: $query<p>Error: ".mysql_error());
           mysql_close($link);
  return($result);
}
/* Sanitize data for mysql query using mysql_real_escape_string */
function clean($data)
{
   $db = "prs";
   $link = mysql_connect("localhost","..........","........")
          or die("Could not connect to server! Error: ".mysql_error());
        
         mysql_select_db($db,$link)
          or die("Could not select $db! Error: ".mysql_error());
   if ( is_array($data) )
   {
      $data = array_map('mysql_real_escape_string', $data);
      return $data;
   }
   return mysql_real_escape_string($data);
}
  /* extract firstname, surname, address1, address2, town, county, postcode, phone, email, class_set */
  $data   = clean($_POST); // sanitize postdata for query
  extract($data, EXTR_SKIP); // extract postdata to variable with names ${array_key} i.e. $firstname
  $query = "SELECT MAX(upn) + 1 as upn FROM students";
  $result = doquery($query);
  // we only use the associative array keys so don't fetch numeric indexes
  $row = mysql_fetch_assoc($result);
  
  $upn = $row['upn'];
        
  $query = "INSERT INTO students (upn, firstname, surname, address1, address2, town, county, postcode, phone, email, class_set) VALUES ($upn, '$firstname', '$surname', '$address1', '$address2', '$town', '$county', '$postcode', '$phone', '$email', '$class_set')";
  doquery($query);
  
     echo 
      "<table width=\"350px\" border=\"1\" cellspacing=\"0\" cellpadding=\"5\" bordercolor=\"#de5f57\" align=\"center\">
  <tr>
    <td colspan=\"2\"><h3>Recorded Added</h3></td>
    </tr>
  <tr>
    <td width=\"150px\" class=\"form_labels\">Student Number</td>
    <td width=\"300px\" class=\"table_data\">". stripslashes(htmlentities($upn, ENT_QUOTES)) ."</td>
  </tr>
  <tr>
    <td class=\"form_labels\">First Name</td>
    <td class=\"table_data\">". stripslashes(htmlentities($firstname, ENT_QUOTES)) ."</td>
  </tr>
  <tr>
    <td class=\"form_labels\">Surname</td>
    <td class=\"table_data\">". stripslashes(htmlentities($surname, ENT_QUOTES)) ."</td>
  </tr>
  <tr>
    <td class=\"form_labels\">Address 1</td>
    <td class=\"table_data\">". stripslashes(htmlentities($address1, ENT_QUOTES)) ."</td>
  </tr>
  <tr>
    <td class=\"form_labels\">Address 2</td>
    <td class=\"table_data\">". stripslashes(htmlentities($address2, ENT_QUOTES)) ."</td>
  </tr>
  <tr>
    <td class=\"form_labels\">Town</td>
    <td class=\"table_data\">". stripslashes(htmlentities($town, ENT_QUOTES)) ."</td>
  </tr>
  <tr>
    <td class=\"form_labels\">County</td>
    <td class=\"table_data\">". stripslashes(htmlentities($county, ENT_QUOTES)) ."</td>
  </tr>
  <tr>
    <td class=\"form_labels\">Postcode</td>
    <td class=\"table_data\">". stripslashes(htmlentities($postcode, ENT_QUOTES)) ."</td>
  </tr>
  <tr>
    <td class=\"form_labels\">Phone Number</td>
    <td class=\"table_data\">". stripslashes(htmlentities($phone, ENT_QUOTES)) ."</td>
  </tr>
  <tr>
    <td class=\"form_labels\">Email</td>
    <td class=\"table_data\">". stripslashes(htmlentities($email, ENT_QUOTES)) ."</td>
  </tr>
  <tr>
    <td class=\"form_labels\">Class</td>
    <td class=\"table_data\">". stripslashes(htmlentities($class_set, ENT_QUOTES)) ."</td>
  </tr>
</table>";
  // use stripslashes to escape backslashes added from htmlentities
  /// use htmlentities to escape html entities (surprise, surprise lol) and prevent cross-site-scripting 
?>

 

empty

array_map

mysql_real_escape_string

mysql_fetch_assoc

extract

stripslashes

htmlentities

 

Cross Site Scripting (XSS)

 

have a read.

 

 

P.S. I know I shouldn't be doing his homework, but I tried to make it easy for him to understand, so don't start bitching.

Link to comment
Share on other sites

You should NOT be opening and closing your database connection inside of your functions. It takes a relatively long time to open a database connection. On any page that needs a database connection, you need to open the connection once in your main program scope and leave it open until you no longer need it or more simply let php close it when the script on the page ends. If code inside your function(s) needs a specific database connection, you need to pass the connection link resource into the function as a call time parameter (so that you could, if needed, use multiple different database connections.)

Link to comment
Share on other sites

You should NOT be opening and closing your database connection inside of your functions. It takes a relatively long time to open a database connection. On any page that needs a database connection, you need to open the connection once in your main program scope and leave it open until you no longer need it or more simply let php close it when the script on the page ends. If code inside your function(s) needs a specific database connection, you need to pass the connection link resource into the function as a call time parameter (so that you could, if needed, use multiple different database connections.)

 

 

Wouldn't have done it that way myself, was just conforming to his programming style, don't even know if it was necessary to be honest, as it would use the last opened connection, and, although it was opened in a different scope, I don't think that would have mattered since I didn't pass the resource to mysql_real_escape would it?

 

 

Although I suppose if he sanitized data before calling doquery, it would be.

 

Also, if I wanted to be pedantic, I would have said to use echo instead of print as it's supposedly marginally faster due to the fact that it outputs an error on failure, whereas echo doesn't and I've never seen either one fail in 6 years of programming.

Link to comment
Share on other sites

Thanks everyone for all your help!

 

Cheers Andy-H, thanks for all you help but, my tutor gave us part of this script and we have to stick to that. I would love to insert your code but I would be dock marks for doing so.

 

I figured out my error and all is good in my world until i hit the next php wall!

 

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.