PHP select from list display results

Question

TheRavenMaddox 0 Newbie Poster

11 Years Ago

This code use to work on a Win2k3 machine running MySQL and PHP but I have since updated my server to Win2k8. I installed the newest version of MySql and PHP and the PHP itself is working. I am able to pull various fields from my database if I hardcode a selecr query. I am also able to run some snippets of code but this piece of code baffles me. Sometimes I can edit it, refresh my page as a check, restore the code, and it will work perfectly, yet if I open a new browser and return to the unedited code it fails. I assume it has something to do with my form and post and that maybe when it works for those moments it is because my $_POST['id'] is not null. Can someone please help me figure out what the problem is here? Thanks!

<?php
$username = "root";
$password = "";
$hostname = "localhost:3306";   
$dbh = mysql_connect($hostname, $username, $password) 
    or die("Unable to connect to MySQL");
$selected = mysql_select_db("operations",$dbh) 
    or die("Could not select operations");
$query = "LOCK TABLES logins WRITE";
mysql_query($query);

print "<p><b><i>Select Record to View</i></b></p>";

//Begin Drop-Down Menu
$result = mysql_query("SELECT * FROM logins ORDER BY TitleName") 
    or die(mysql_error());
echo "<form name=\"submitme\" method=\"post\"action=\"".$_SERVER['PHP_SELF']."\">\n";
echo "<select name=\"id\" onchange=\"document.submitme.submit()\">\n"; 

while ($row = mysql_fetch_array($result,MYSQL_ASSOC)) {
    echo "<option value=\"$row[Title]\">$row[TitleName]</option>\n";
}

echo "</select>\n";
echo "</form>"; 
//End Drop-Down Menu


if ($_POST['id']=="") { $NEW = $_POST['TITLE'];
    }else{$NEW = $_POST['id'];}
$result = mysql_query("SELECT * FROM logins WHERE Title='$NEW'");
while ($row = mysql_fetch_array($result,MYSQL_ASSOC)) {
    print "\n<b>".$row{'TitleName'}."</b><ol style=\"margin-top: 0in; margin-bottom: 0in\" type=\"circle\">";
    print "\n<li>Website: <a href=\"".$row['Website']."\" target=\"_blank\">".$row['Website']."</a></li>";
    print "\n<li>Website2: <a href=\"".$row['Website2']."\" target=\"_blank\">".$row['Website2']."</a></li>";
    print "\n<li>UserEmail: ".$row['UserEmail']."</li>";
    print "\n<li>User: ".$row['User']."</li>";
    print "\n<li>Pass: ".$row['Pass']."</li>";
    print "\n<li>Notes: ".$row['Notes']."</li>";
    print "\n</ol>";
}

mysql_close($dbh);

?>

php

2 Contributors
3 Replies
195 Views
13 Hours Discussion Span
Latest Post 11 Years Ago Latest Post by diafol

diafol

11 Years Ago

Your post variables may not be set:

You assume $_POST['id'] and $_POST['title'] are always set. Also you place unsanitized post data in a mysql query. I can't see which form element relates to $_POST['title'] - there should be an element with name="title".

if ($_POST['id']=="") { 
    $NEW = $_POST['TITLE'];
}else{
    $NEW = $_POST['id'];
}
$result = mysql_query("SELECT * FROM logins WHERE Title='$NEW'");

If the form is sent, $_POST['id'] should always contain a value. I'm a little confused as to the naming of your vars - 'id' suggests and integer value, e.g. an autoincremented primary key (not always the case though) and 'title' suggests a string of some description.

Maybe something like this?

if(isset($_POST['id'])){

    $title = mysql_real_escape_string($_POST['id']);

    $result = mysql_query("SELECT * FROM logins WHERE Title='$title'");
    while ($row = mysql_fetch_array($result,MYSQL_ASSOC)) {
        print "\n<b>".$row{'TitleName'}."</b><ol style=\"margin-top: 0in; margin-bottom: 0in\" type=\"circle\">";
        print "\n<li>Website: <a href=\"".$row['Website']."\" target=\"_blank\">".$row['Website']."</a></li>";
        print "\n<li>Website2: <a href=\"".$row['Website2']."\" target=\"_blank\">".$row['Website2']."</a></li>";
        print "\n<li>UserEmail: ".$row['UserEmail']."</li>";
        print "\n<li>User: ".$row['User']."</li>";
        print "\n<li>Pass: ".$row['Pass']."</li>";
        print "\n<li>Notes: ".$row['Notes']."</li>";
        print "\n</ol>
    }    
}

You should also be aware that mysql_* functions are approaching the end of the road. Consider moving to mysqli_* or PDO. In addition, consider placing inline styling to a CSS file or to a style tag at the very least.

Edited 11 Years Ago by diafol

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

TheRavenMaddox 0 Newbie Poster · Answer 1 · 2013-02-12T02:48:50+00:00

The if(isset($_POST['id'])) piece of code fixed my problem! Thank you very much!

'id' was just the select name I chose for my drop down box. And 'Title' was an abbreviated version of the full name that I had used as the primary key, altho if I were to do this again today I would prefer to use a unique auto gen number.

I'm not sure I understand the "posting unsanitized data" remark. I pulled from MySql to generate a drop-down list and selected/filtered my query based on that.

This code was written by me over 6 years ago and it grew like patchwork with a lot of copy and pasting. I had written an UPDATE, ADD NEW, and DELETE page to go with this lookup page. Apparently something changed with the new itterations of PHP / MySql which broke my code.It was designed to be a simple database to keep track of login, username and passwords with links to the accompanying pages. Other pages in my site would have instructions on what to do once at the page. Style and formatting were never a real concern altho I will research further into what you mean by PDO and the mysqli_* functions. My best bet may be to start from scratch and recreate the 4 pages, because the other three are broken as well.

Do you have any links or directions you can point me in to create a more clean / current code version of what I am trying to accomplish here? Thanks again.

diafol · Answer 2 · 2013-02-12T10:41:20+00:00

I'm not sure I understand the "posting unsanitized data" remark.

This means you did not sanitize the $_POST variable before inserting it into your SQL query. This means you could be vulnerable to SQL injections. Pretty serious.

So, if you mean to keep using mysql_* functions for the time being, treat all input as suspicious and use mysql_real_escape_string() on all expected strings and intval() on all expected integers. ALternatively, you can use the built-in sanitize and filter functions:

http://php.net/manual/en/filter.filters.sanitize.php
http://www.php.net/manual/en/filter.filters.validate.php

However, mysql_* are to be deprecated soon, so you should think about moving on to using mysqli_* or PDO. Using parameterized queries can help reduce the risk of injection.