I-AM-OBODO Posted December 13, 2016 Share Posted December 13, 2016 Hi guys, How can i process the value of a search result. this is what i've tried so far: //searche result page if(isset($_POST['submit'])){ $_SESSION['from'] = $_POST['from']; $_SESSION['to'] = $_POST['to']; $sql = ("SELECT * FROM $tbl_name WHERE date_order BETWEEN '$_SESSION[from]' AND '$_SESSION[to]'"); //$stmt = $pdo->prepare("SELECT * FROM ca_processed"); $stmt=$pdo->query($sql); $stmt->execute(); $num_rows = $stmt->rowCount(); #print "<p>$num_rows Record(s) Found.</p>"; if($stmt->rowCount() < 1){ echo '<div class="alert alert-warning text-center">NO RECORD FOUND</div>'; }else{ print "<p>$num_rows Record(s) Found.</p>"; <form action="ReconcileAccounts" method="post"> <table width="100%" class='table-responsive table-condensed table-striped'> <tr> <td bgcolor="#444444"><font color='#fff'></font></td> <td bgcolor="#444444"><font color='#fff'><strong>#</strong></font></td> <td bgcolor="#444444"><font color='#fff'>Trans Ref</font></td> <td bgcolor="#444444"><font color='#fff'>Service Provider</font></td> <td bgcolor="#444444"><font color='#fff'>Service Type</font></td> <td bgcolor="#444444"><font color='#fff'><strong>($) Amount</strong></font></td> <td bgcolor="#444444"><font color='#fff'><strong>Date Paid</strong></font></td> <td bgcolor="#444444"><font color='#fff'><strong>Reconcile Status</strong></font></td> </tr> <?php $i = 1; while($row = $stmt->fetch(PDO::FETCH_ASSOC)) { $trans_ref = $row['trans_ref']; $service_provider = $row['service_provider']; $service_type = $row['service_type']; $amount_paid = number_format($row['amount_paid'],2); $date_paid = $row['date_paid']; $reconcile_status = $row['reconcile_status']; if($reconcile_status == 0){ $reconcile_status = "<strong>NOT RECONCILED</strong>"; }elseif($reconcile_status == 1){ $reconcile_status = "<strong>RECONCILED</strong>"; } $reconcile_info = [ 'trans_ref' => $trans_ref, 'service_provider' => $service_provider, 'service_type' => $service_type, 'amount_paid' => $amount_paid, 'date_paid' => $date_paid, 'reconcile_status' => $reconcile_status ]; $_SESSION['reconcile_info'] = $reconcile_info; ?> <tr> <td align="center"><input name="check_list[]" type="checkbox" value="<?php echo $row['id']; ?>" ></td> <td><?php echo $i++; ?></td> <td><?php echo $trans_ref; ?></td> <td><?php echo $service_provider; ?></td> <td><?php echo $service_type; ?></td> <td><?php echo $amount_paid; ?></td> <td><?php echo $date_paid; ?></td> <td><?php echo $reconcile_status; ?></td> </tr> <?php } ?> </table> <input name="reconcile" type="submit" class="btn btn-primary btn-margin" id="reconciled" value="RECONCILE SELECTED"> </form> } } //ReconcileAccounts $tbl_name="xbp_paid_bills"; //your table name $tbl_name2="xbp_registration_info"; if(isset($_POST['reconcile'])){ if(!empty($_POST['check_list'])){ foreach($_POST['check_list'] as $selected){ $stmt = $pdo->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_WARNING ); $stmt = $pdo->prepare("UPDATE xbp_paid_bills SET reconcile_status =1 WHERE trans_id='$selected'"); $stmt->execute(); $count = $stmt->rowCount(); } if($count){ echo "<div class='bg-success alert alert-success text-center'>RECORD(S) RECONCILED</div>"; $url = "ReconcileAccount"; echo '<meta http-equiv="refresh" content="3;URL=' . $url . '">'; }else{ echo "<div class='bg-warning alert alert-warning text-center'>A PROBLEM OCCURED WHILE RECONCILING RECORD</div>"; echo "<br>"; print_r($stmt->errorInfo()); } } } thanks Quote Link to comment Share on other sites More sharing options...
NotionCommotion Posted December 13, 2016 Share Posted December 13, 2016 Good job attempting to use PDO and prepared statements, but you are not doing them correctly. Until you totally know what you are doing, NEVER use anything except a prepared statement. For instance, don't use $stmt=$pdo->query($sql);, but use $stmt=$pdo->prepare($sql);. Next, never directly add a variable into your SQL statement. If you 100% new it was safe, maybe, for for now, NEVER. Your SQL statement should look like one of the following: $tbl_name='your_table_name'; $sql = "SELECT * FROM $tbl_name WHERE date_order BETWEEN ? AND ?"; // or $sql = "SELECT * FROM $tbl_name WHERE date_order BETWEEN :to AND :from"; Okay, I earlier said never insert a variable into your SQL, but doing so with $tbl_name is okay (if you really need to) because you 100% know it is safe. Never, however, put then in your WHERE statement even if you know they are safe until you really know what you are doing. Also, the to and from in your between statement doesn't make any sense. Finally, you insert your variables into the prepared statement using: $stmt=$pdo->prepare($sql); $stmt->execute([$_POST['to'],$_POST['from']]); //If using ? as placeholders // or $stmt->execute(['to'=>$_POST['to'],'from'=>$_POST['from']]); //If using :to or :from as placeholders Update your script, and then give a better description what you mean by "process the values" Quote Link to comment Share on other sites More sharing options...
Solution mac_gyver Posted December 13, 2016 Solution Share Posted December 13, 2016 do you have php's error_reporting set to E_ALL and display_errors set to ON in the php.ini (putting these settings into your code won't help show syntax errors in the same file where the settings are being set) on your development system so that php would help you by reporting and displaying all the errors it detects? you would be getting a php syntax error because you are mixing php and html markup inside of php code tags. you would also be getting a blank php page, which you didn't tell us you are getting as a symptom when you run your code. to output in-line html markup, you need to have a closing php tag to switch out of php 'mode'. with 300+ posts, you should be past having these basic problems. Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted December 13, 2016 Share Posted December 13, 2016 another point about prepared queries, you prepare them once, then can execute them multiple times. the UPDATE query should be prepared once, before the start of the loop. the code inside the loop should only populate the data for the place-holders, then execute the query. @NotionCommotion, the OP's from and to values do make sense. from is an older date and needs to be the first parameter in the BETWEEN term for the statement to work. to is a newer date and needs to be the second parameter in the BETWEEN term. Quote Link to comment Share on other sites More sharing options...
NotionCommotion Posted December 13, 2016 Share Posted December 13, 2016 @NotionCommotion, the OP's from and to values do make sense. from is an older date and needs to be the first parameter in the BETWEEN term for the statement to work. to is a newer date and needs to be the second parameter in the BETWEEN term. Okay. I had thought they were email addresses or names or something. Also, I was going to comment on my original reply but thought better to staying just on the subject of prepared statements, but... Why set $_SESSION with $_POST values? It does not magically provide any protection. Do you really need these as a session? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.