enil14someone Posted February 10, 2014 Share Posted February 10, 2014 sooo...im creating an inventory system (for my project) right now and one of its features is to determine the sales. problem is, '$item' seems to change in my code whenever the data has an operand or something (like the word 'c++'). It works if its just letters and numbers but it won't work whenever theres a "+" or any other operand. I think maybe its the way how i coded my html but maybe its also how I used $_REQUEST. i tried looking it again and again but i can't seem to see the problem. help pls. thank you! oh. btw here's: the one that displays the items (inventory): <?php echo "<h1 align = center >Ceejay Merchandising Inventory</h1>"; echo "<table border = '0' width = '80%' align = 'center'> <tr><td align = right><a text-decoration = none href = 'search.php' >[Search]</a></td></tr>"; echo "<table border = '1px' width = '80%' align = center > <tr align = center><th>Item</th><th>Qty</th><th>Barcode</th><th>Price</th></tr>"; mysql_connect("localhost", "root", "group8"); mysql_select_db("testsite"); $per_page = 10; $pages_query = mysql_query("SELECT COUNT('Item') FROM items"); $pages = ceil(mysql_result($pages_query, 0)/$per_page); $page = (isset($_REQUEST['page'])) ? (int)$_REQUEST['page'] : 1; $start = ($page - 1) * $per_page; $query = mysql_query("SELECT * FROM items ORDER BY Item LIMIT $start, $per_page "); echo "<br />"; while($row = mysql_fetch_assoc($query)){ $item = $row['Item']; $qty = $row['Qty']; $barcode = $row['Barcode']; $price = $row['Price']; echo "<tr><td width = '50%' > <a href = 'update_sales.php?item=$item&qty=$qty&bc=$barcode&price=$price'>$item</a></td> <td width = '5%' align = center>$qty</td> <td align = center>$barcode</td><td align = center>Php $price</td></tr>"; } echo "</table>"; $prev = $page - 1; $next = $page + 1; echo "<br /><center>"; if($prev != 0 ){ echo "<a href = 'items.php?page=$prev'>Prev</a> "; } if($pages >= 1 ){ for($x = 1; $x <= $pages; $x++){ echo ($x == $page) ? "<b><a href = '?page=".$x."'>".$x."</a></b> " : "<a href = '?page=".$x."'>".$x."</a> " ; } } if($page < $pages){ echo "<a href = 'items.php?page=$next'>Next</a> "; } echo "</center>"; mysql_close(); ?> gets information for sales: <html> <head> <title>Update Sales</title> </head> <body> <form method = "post" action = "update_sales01.php"> Item: <?php echo $_REQUEST['item']; ?><br /> Qty: <input type = "text" name = "qty"><br /> Barcode: <?php echo $_REQUEST['bc']; ?><br /> Price: <?php echo $_REQUEST['price']; ?><br /> <input type = "submit" name = "submit" value = "Update"> <input type = "hidden" name = "item" value = "<?php echo $_REQUEST['item']; ?>" > </form> </body> </html> and updates my sales in phpmyadmin: <?php mysql_connect("localhost", "root", "group8"); mysql_select_db("testsite"); $num_qty = $_REQUEST['qty']; $query = mysql_query("SELECT * FROM items WHERE Item = '".$_REQUEST['item']."' "); while($row = mysql_fetch_assoc($query)){ $item = $row['Item']; $oldqty = $row['Qty']; $price = $row['Price']; } if($num_qty < $oldqty){ $qty = $oldqty - $num_qty; $total = $num_qty * $price; mysql_query("INSERT INTO `sales`(`Date`, `Item`, `Qty`, `Item Cost`, `total`) VALUES( CURDATE(), '$item', '$num_qty', '$price', '$total')" ); mysql_query("UPDATE items SET Qty = '$qty' WHERE Item = '$item' "); echo "<p style = 'color:red'>Updated!</p>"; include("items.php"); }else{ echo "<p style = 'color: red'>Not enough $item =".$item."</p>"; include("update_sales.php"); } ?> any help is appreciated! thank you! ^^ Quote Link to comment Share on other sites More sharing options...
jazzman1 Posted February 10, 2014 Share Posted February 10, 2014 Some actual error messages would help. What debugging steps have you taken so far, because I see many places that could go wrong. Start with php error_reporting and mysql_error functions. Quote Link to comment Share on other sites More sharing options...
Psycho Posted February 10, 2014 Share Posted February 10, 2014 (edited) The problem is probably that you are using $item as a parameter within a URL here: echo "<tr><td width = '50%' > <a href = 'update_sales.php?item=$item&qty=$qty&bc=$barcode&price=$price'>$item</a></td> <td width = '5%' align = center>$qty</td> <td align = center>$barcode</td><td align = center>Php $price</td></tr>"; Some characters have special meaning when used within the URL - unless you properly escape them using urlencode(). Always think about where you are using data and how it may need to be escaped. You aren't even escaping the user submitted data before using them in a query! That's just asking for someone to mess with your database with SQL Injection. Edited February 10, 2014 by Psycho Quote Link to comment Share on other sites More sharing options...
enil14someone Posted February 10, 2014 Author Share Posted February 10, 2014 (edited) @psycho: erm...im don't get what you mean by escaping (sorry. im quite new to this o__o ). @jazzman1: not sure how to explain it....err the doesn't work when the some kind of 'symbol' in the data. for ex. in my html code, the the program reads the $item as 'C++' (data type is varchar in phpmyadmin ) but when it tries to get the information for the sales, $item turns to 'C' (the '++' are gone). in my code, mysql_query uses $item (which is c++ in the database but sadly became c in the code) to get its other information (such as its qty, price, etc...). since the word 'C++' turned to 'C' in my code (my database doesnt have an item named 'C' ), when I used mysql_query("SELECT * FROM items WHERE Item = '$item' "); mysql_query won't give anything since there is no such data (it would work if it was 'C++' but like I said, '+' gets omitted so its now 'C' D: ) and all my other variables will be undefined for some reason which i don't know. (sorry if i can't give the exact errors... im using a different computer. ill probably edit this later). I think what pyscho said might be the reason but i dont get what you meant by properly escaping them. Im really sorry @__@. Edited February 10, 2014 by enil14someone Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted February 10, 2014 Share Posted February 10, 2014 here's a simple fix. when manipulating existing data, you should be referencing it by it's id, an autoincrement index in your defining (product) table. there's no need to pass anything else around in the url and in fact you seem to be passing several of the stored fields in the url. that's just redundant information that is not needed. as to your actual inventory data storage, you should not keep just a quantity. it's too easy to have a double posted value mess it up, then you have no record of what went into making up the current quantity. you need to treat your inventory as a credit/debit account, just like your bank checking account, with one row for every 'transaction'. you then sum up the + and - amounts to come up with the current inventory for any or all item id's in the inventory table. Quote Link to comment Share on other sites More sharing options...
Psycho Posted February 11, 2014 Share Posted February 11, 2014 @psycho: erm...im don't get what you mean by escaping (sorry. im quite new to this o__o ). OK, let's take a simple example. You obviously know enough to put a page together. So, as you should know, certain characters or groups of characters can have special meaning and will be 'processed'. For example, here is a simple piece of HTML This is <b>bold</b> text I assume you know that the result of that would be "This is bold text". Ok, so let's take some HTML with dynamic content in it: Name: <?php echo $name; ?> That would result in a custom output based upon the value of name. If name is "Psycho" the output would be "Name: Psycho". But, let's say the value of $name is "<b>Psycho</b>". That would still output"Name: Psycho". But, by allowing that 'code' to exist in the user's name they can modify the output of the page. That's pretty benign. But, users could add JavaScript to their username (or other data) leading to vulnerabilities to your site. You can still allow users to add those characters to their name, but you should escape them so the browser doesn't interpret the content as code. In this case you want to escape the data for output in HTML, so you could use htmlspecialchars(). E.g. Name: <?php echo htmlspecialchars($name); ?>. That will convert the carats (i.e. <>) to < & >. The browser will then interpret those as the <> characters and print them to the page rather than interpreting them as code. Just about every way you can use data (HTML, JavaScript, PHP, file writing.reading, etc.) has ways to escape characters so they do not perform some special function that they have. Now, specific to your problem. URLs have many special characters such as ?, &, +, etc. Go to google and do a search for "PHP Freaks". You will see that the URL contains search?q=php+freaks. Since you can't have spaces in a URL, a plus sign is used to concatenate all the values of the query. But, what if you wanted to search for something with a plus sign in it? You will need to escape the value so it will be interpreted as the literal plus symbol and not the special concatenation symbol. In PHP you would do that with urlencode(). When using that, plus symbols are converted to "%2B" - which will be treated as a literal plus symbol character. But, as mac_gyver already stated you should not be passing string names on the URL to do a look-up. Use the ID from the database. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.