No Escape!

[rocky48]

I did not quite know how to label this post hence the unusual title.

 

I am trying to modify some code that I have written to save the choosen line that is output from an SQL query, using SESSION to make it available in a later script.

To achieve this I have started a form with a radio button inside the while loop that outputs the query items that meet the criteria set by a form in the previous script.

Before I modified this script it worked albeit without the choice coding.

When I submit the choices on the previous script the query is run and it ouputs the results as a table, with an extra column which contains a radio button.  I have for test purposes output the value of the variable to check that the variable is storing the value correctly.  When I choose a line that the query has output and clcked on the submit button it seems to be causing the code to think it has not got an Event set and displays the error message "You have selected an invalid Event.
Please try again.", on line 21 which is part of the code I wrote to make sure that an Event has been choosen, instead of proceeding on to the next script.

 

Here is the complete script:

<?php
session_start();

include("cverse_connect.php");
doDB();

//check for required info from the query string


//verify the Event exists
$verify_Event_sql = "SELECT ID, Event_Type FROM Events WHERE ID = '".$_POST["Event_Type"]."'";
$verify_Event_res =  mysqli_query($mysqli, $verify_Event_sql) or die(mysqli_error($mysqli));



echo  $_POST["Event_Type"];
echo  $_POST["Mood"];

if (mysqli_num_rows($verify_Event_res) < 1) {
	//this Event does not exist
	$display_block = "<p><em>You have selected an invalid Event.<br/>
	Please try again.</em></p>";

} else {
//get the Event ID
	while ($Event_info = mysqli_fetch_array($verify_Event_res)) {
		$Event_ID = stripslashes($Event_info['ID']);
		$Event_Name = ($Event_info['Event_Type']);
	}

$verify_Mood_sql = "SELECT ID, Event_Sub_Type FROM Event_Sub WHERE ID = '".$_POST["Mood"]."'";
$verify_Mood_res =  mysqli_query($mysqli, $verify_Mood_sql) or die(mysqli_error($mysqli));

if (mysqli_num_rows($verify_Mood_res) < 1) {
	//this Event does not exist
	$display_block = "<p><em>You have selected an invalid Mood.<br/>
	Please try again.</em></p>";
}

	while($Mood_info = mysqli_fetch_array($verify_Mood_res)) {
		$Mood_ID = ($Mood_info['ID']);
		$Mood_Name = ($Mood_info['Event_Sub_Type']);
	}
	//gather the Events
	$get_Event_sql  = "SELECT Verses.ID AS versesID, Verses.Verse, Verses.Sub_Type, Verses.Event, Events.ID AS eventsID, Events.Event_Type, Event_Sub.ID AS event_SubID, Event_Sub.Event_Sub_Type
	FROM Verses
	LEFT JOIN Events
	ON Verses.Event = Events.ID
	LEFT JOIN Event_Sub
	ON Verses.Sub_Type = Event_Sub.ID
	WHERE Verses.Event = '".$_POST["Event_Type"]."' And Verses.Sub_Type = '".$_POST["Mood"]."'
	ORDER BY Verses.ID ASC";


	$get_Event_res = mysqli_query($mysqli, $get_Event_sql) or die(mysqli_error($mysqli));

	//create the display string
	$display_block .= "
<table width=\"70%\" cellpadding=\"3\" cellspacing=\"1\" border=\"1\" BGCOLOR=\"#87CEEB\" >
	<tr>
	<th>ID</th>
	<th>VERSE</th>
	<th>MOOD/SUB TYPE</th>
	</tr>";	

	while ($Verse_info = mysqli_fetch_array($get_Event_res)) {
		$Verse_id = $Verse_info['versesID'];
		$Verse_text = nl2br(stripslashes($Verse_info['Verse']));
		$Mood_info = $Verse_info['Event_Sub_Type'];
		$VID = $Verse_id;
		//add to display
$display_block .= "
<tr>
<td width=\"1%\" valign=\"top\">".$Verse_id."<br/></td>
<td width=\"55%\" valign=\"top\">".$Verse_text."<br/></td>
<td width=\"35%\" valign=\"top\">" .$Mood_info."<br/></td>
<td width=\"35%\" valign=\"top\">
<form .method=.\"POST\" .action=\"VInput1.php\">
<input type=\"Radio\" value=\"$VID\">
$VID
</td></tr>";
}
$display_block.="<input type=submit value=Choose Verse>";
	//free results
	mysqli_free_result($get_Event_res);
	mysqli_free_result($verify_Event_res);	
//close connection to MySQL
	mysqli_close($mysqli);
	
//close up the table
$display_block .= "</table>";	
}
$_session['Test']=$_POST[$VID]
?>
<html>
<head>
<title> List of Verses</title>
<meta charset="utf-8">
    <meta name="Description" content="Ecologic Theme">
    <meta name="author" content="CoffeeCup Software, Inc.">
    <meta name="Copyright" content="Copyright (c) 2011 CoffeeCup, all rights reserved.">
    <title>1066 Cards 4U - Home</title>
    <link rel="stylesheet" href="stylesheets/default.css" />
    <!--[if IE]>
    <script src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>
    <![endif]-->
</head>
<body>
 <header>
        <h1><a href="index.html"> ..............</a></h1></br></br></br></br>
		<div><img src="images/1066Green.jpg" width="600" height="80" alt="" title="" border="0" /></div>
        
    </header>
<section id="mainContent" class="clear">
        <nav>
            <h3>Main Menu</h3>
            <ul>
                <li><a href="index.html">Home</a></li>
                <li><a href="Links.html">Links</a></li>
                <li><a href="Techniques.html">Techniques</a></li>
				<li><a href="Alt_inputform.html">Verse's</a></li>				
                <li><a href="contact.html">Contact Us</a></li>
				<li><a href="News.html">News</a></li>
				<li><a href="Gallery.html">Gallery</a></li>
            </ul>
        </nav>
<section id="mainRight2">		
<h1>Verses</h1>

<?php echo $display_block; ?>
</section>
<footer>
        <p>© 2011 Ecologic, Inc. All rights reserved.    <a href="http://coffeecup.com">HTML Editor Theme</a> by CoffeeCup Software.</br> © 2012 Content:1066 Cards 4U. All rights reserved.   </p>
		<ul>
            <li><a href="index.html">Home</a></li>
            <li><a href="Links.html">Links</a></li>
            <li><a href="Techniques.html">Techniques</a></li>
			<li><a href="Alt_inputform.html">Verse's</a></li>				
            <li><a href="contact.html">Contact Us</a></li>
			<li><a href="News.html">News</a></li>
			<li><a href="Gallery.html">Gallery</a></li>
        </ul>
    </footer>
</body>
</html>

Can anybody see why it is doing this?

 

[mac_gyver]

best i can tell, your form doesn't have a field with the name="Event_Type" and you also have some extra dots . among the method and action attributes in the <form > tag.

[rocky48]

Hi

 

But Event_Type is only required to satisfy the SQL query, it is nothing to do with the form which is dealing with the OUTPUT from the query.

I am not too sure about the periods as somebody in a previous post suggested them.  I will remove them!

[ginerjm]

Your script runs very straight-forward right thru a query to verify that your selected event type exists.  Well, you don't have any <input> tag in your html with that name, so this query will not return any rows.  Hence  your message when you check the row count.

 

As for you prev statement that Event_type has nothing to do with the form, if so, why do you refer to it as part of the $_POST array??

 

It's always a good idea to validate all incoming data before proceeding on with the work at hand.  In this case you are not.

[rocky48]

I am afraid it does not work like that!

The POSTed Event_Type and Mood_Type are POSTed on the previous script and are part of the SQL query, which runs first.  This then outputs the result as a table.  I don't understand why you are saying 'you don't have any <input> tag in your html with that name'?

 

Any way that is history now as the problem was the periods in front of method and action.

 

I have another problem now!

 

When I choose one of the lines in the table and submit using POST then create a SESSION called Test, which saves the result of the POST into the SESSION and proceed to the next script nothing is printed on the screen.

 

Here is the small script I am using to test the output:

<?
session_start();
echo $_SESSION[Test];
echo $_POST[$VID];
?>

Any ideas why I am not getting the data stored in SESSION?

[ginerjm]

Try putting quotes around your indices.

 

You should also learn to use single quotes so you don't have to keep escaping double quotes in double-quoted strings.   Less typing, less errors perhaps.

[kicken]

Any ideas why I am not getting the data stored in SESSION?

 

$_session['Test']=$_POST[$VID]

 

Variables are case sensitive. $_session is not the same as $_SESSION (which is the proper name)