Page 1 of 2

replacing values not working anymore

Posted: Wed Dec 06, 2006 12:01 pm
by Obadiah
im working on a small project trying to pull values from a database where the text value meets a certain value here is what i have

Code: Select all

<?php 
error_reporting(E_ALL); 
ini_set('display_errors', 1);
function doDB()
{
	$conn = mysql_connect("#####","####","#######") or die(mysql_error());
	mysql_select_db("customerdirectory",$conn) or die(mysql_error());
	return $conn;
}

function locate()
{
	$sql = "SELECT * FROM merchant WHERE phone_num = '{$_POST['phone_num']}'";
	$result = mysql_query($sql,$conn) or die(mysql_error());
	return $result;
}
$conn = doDB(); 
echo "Please enter a phone number:
<form action=\"locate()\">
<input type=\"text\" name=\"phone_num\">
<input type=\"submit\" name=\"submit\" value=\"Find Merchant\">
</form>";
?>
i feel dumb for asking this question but i cant for the life of me think of a way to get the function to work when someone clicks the button....lol...help please :lol:

Posted: Wed Dec 06, 2006 12:13 pm
by Luke
First of all... 8O SQL INJECTION!!!!!
you need to at the very least mysql_real_escape_string this...

Code: Select all

$sql = "SELECT * FROM merchant WHERE phone_num = '" . mysql_real_escape_string($_POST['phone_num'], $conn) . "'";
Anyway.. since it's the magical buzz-word, you could do it the ajax way, but the standard php way is like so: (something like this anyway)

Code: Select all

<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
function doDB()
{
        $conn = mysql_connect("#####","####","#######") or die(mysql_error());
        mysql_select_db("customerdirectory",$conn) or die(mysql_error());
        return $conn;
}

function locate($number, $conn)
{
        $sql = "SELECT * FROM merchant WHERE phone_num = '" . mysql_real_escape_string($number, $conn) . "'";
        $result = mysql_query($sql,$conn) or die(mysql_error());
        return $result;
}
$conn = doDB();
if(isset($_POST['action']) && $_POST['action'] == 'locate')
{
    $result = locate($_POST['phone_num'], $conn);
    // Do something with $result
}
?>
Please enter a phone number:
<form action="#">
<input type="text" name="phone_num">
<input type="hidden" name="action" value="locate">
<input type="submit" name="submit" value="Find Merchant">
</form>
PHP is server-side, so you can not magically grab a function with html like you were trying to do...

Posted: Wed Dec 06, 2006 12:50 pm
by Obadiah
sorry bout the non-sanitization....but i implemented your suggestion and the gui works in all but the submit doesnt work and i get this error
Notice: Undefined index: action in C:\Program Files\merchant_locater.php on line 24

Posted: Wed Dec 06, 2006 12:52 pm
by feyd
isset() <insert generic response here>.

Posted: Wed Dec 06, 2006 12:56 pm
by Luke
I fixed it... :D

Posted: Wed Dec 06, 2006 12:58 pm
by feyd
The Ninja Space Goat wrote:I fixed it... :D
parse error now. :)

Posted: Wed Dec 06, 2006 1:15 pm
by Obadiah
feyd wrote:
The Ninja Space Goat wrote:I fixed it... :D
parse error now. :)
this fixed the parses

Code: Select all

if ( isset($_POST['action']) && 'locate'===$_POST['action'] )
:wink:

[edited]

the button is still dead and my else executes automatically...this is what i have thus far

Code: Select all

<?php 
error_reporting(E_ALL); 
ini_set('display_errors', 1);
function doDB()
{
	$conn = mysql_connect("#######","####","########") or die(mysql_error());
	mysql_select_db("customerdirectory",$conn) or die(mysql_error());
	return $conn;
}

function locate($number, $conn) 
{ 
        $sql = "SELECT * FROM merchant WHERE phone_num = '" . mysql_real_escape_string($number, $conn) . "'"; 
        $result = mysql_query($sql,$conn) or die(mysql_error()); 
        return $result; 
} 
$conn = doDB(); 
echo "Please enter a phone number: 
<form action="#"> 
<input type="text" name="phone_num"> 
<input type="hidden" name="action" value="locate"> 
<input type="button" name="submit" value="Find Merchant"> 
</form>"; 

if ( isset($_POST['action']) && 'locate'===$_POST['action'] )

{ 
    $result = locate($_POST['phone_num'], $conn);
    
    while ($newArray = mysql_fetch_array($result))
{	
	$phone_num = $newArray['phone_num'];
	$merchant_num = $newArray['merchant_num'];
	$date_recieved = $newArray['date_recieved'];
	$merchant_name = $newArray['merchant_name'];
	$purchase_type = $newArray['purchase_type'];
	$lease_score = $newArray['lease_score'];
	$amex = $newArray['amex'];
	$app_id = $newArray['app_id'];
	$discover = $newArray['discover'];
	$username = $newArray['user_name'];
	$check_conversion = $newArray['check_conversion'];
	$gift_loyalty = $newArray['gift_loyalty'];
	$app_type = $newArray['app_type'];
	$terminal = $newArray['terminal'];
	$serial_num = $newArray['serial_num'];
	$nms = $newArray['nms'];
	$ckmerchant_num = $newArray['ckmerchant_num'];
	$giftmerchant_num = $newArray['giftmerchant_num'];
	$comments = $newArray['comments'];
}
echo "
<center>
<table width="683">
<tr>
<td>
<table class="text" width="683" border="1" bordercolor="green">
<tr>
<td align="center">Date Received</td>
<td colspan="2" align="center">Merchant Name</td>
<td align="center">Phone Number</td>
<td align="center">Lease Score</td>
</tr>
<tr>

<td align="center" class="output">$date_recieved &nbsp;</td>
<td align="center" colspan="2" class="output">$merchant_name &nbsp;</td>
<td align="center" class="output">$phone_num &nbsp;</td>
<td align="center" class="output">$lease_score &nbsp;</td>
</tr>

<tr>
<td align="center">Application Type</td>
<td align="center">AMEX</td>
<td align="center">Discover</td>
<td align="center">Check Conversion</td>
<td align="center">Gift & Loyalty</td>
</tr>
<tr>
<td align="center" class="output">$app_type &nbsp;</td>
<td align="center" class="output">$amex &nbsp;</td>
<td align="center" class="output">$discover &nbsp;</td>
<td align="center" class="output">$check_conversion &nbsp;</td>
<td align="center" class="output">$gift_loyalty &nbsp;</td>
</td>
</tr>

<tr>
<td align="center">Merchant&nbsp;#:</td>
<td colspan="2" align="center">Ck Merchant&nbsp;#:</td>
<td align="center">Gift Merchant&nbsp;#:</td>
<td align="center">Terminal:</td>
</tr>

<tr>
<td align="center" class="output">$merchant_num &nbsp;</td>
<td colspan="2" align="center" class="output">$ckmerchant_num &nbsp;</td>
<td align="center" class="output">$giftmerchant_num &nbsp;</td>
<td align="center" class="output">$terminal &nbsp;</td>
</tr>

<tr>
<td align="center">Serial#/SiteID/TID:</td>
<td colspan="2" align="center">DL#/NMS:</td>
<td align="center">App-ID:</td>
<td align="center">L/C/R:</td>
<td bgcolor="green" rowspan="2">&nbsp;</td>
</tr>
<tr>
<td align="center" class="output">$serial_num &nbsp;</td>
<td colspan="2" align="center" class="output">$nms &nbsp;</td>
<td align="center" class="output">$app_id &nbsp;</td>
<td align="center" class="output">$purchase_type &nbsp;</td>
</tr>

<tr>
<td>Comments</td>
<td class="output" colspan="3">";
echo nl2br("$comments");
echo "
&nbsp;</td>
</tr>
</table>
</td>
</tr>
<tr>
<td bgcolor="green" colspan="12">&nbsp;</td>
</tr>
</table>";
}
else
{
echo "nothing to display";	
}
?>

Posted: Wed Dec 06, 2006 1:37 pm
by RobertGonzalez
Try this, see if it does anything different..

Code: Select all

<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);

function doDB()
{
    $conn = mysql_connect("#######","####","########") or die(mysql_error());
    mysql_select_db("customerdirectory",$conn) or die(mysql_error());
    return $conn;
}

function locate($number, $conn)
{
    $sql = "SELECT * FROM merchant WHERE phone_num = '" . mysql_real_escape_string($number, $conn) . "'";
    $result = mysql_query($sql,$conn) or die(mysql_error());
    return $result;
}

$conn = doDB();

echo 'Please enter a phone number:
<form method="post" action="' . basename($_SERVER[SCRIPT_FILENAME]) . '">
<input type="text" name="phone_num">
<input type="hidden" name="action" value="locate">
<input type="button" name="submit" value="Find Merchant">
</form>';

if ( isset($_POST['action']) && 'locate' === $_POST['action'] )
{
    $result = locate($_POST['phone_num'], $conn);
    while ($newArray = mysql_fetch_array($result))
    {       
        $phone_num = $newArray['phone_num'];
        $merchant_num = $newArray['merchant_num'];
        $date_recieved = $newArray['date_recieved'];
        $merchant_name = $newArray['merchant_name'];
        $purchase_type = $newArray['purchase_type'];
        $lease_score = $newArray['lease_score'];
        $amex = $newArray['amex'];
        $app_id = $newArray['app_id'];
        $discover = $newArray['discover'];
        $username = $newArray['user_name'];
        $check_conversion = $newArray['check_conversion'];
        $gift_loyalty = $newArray['gift_loyalty'];
        $app_type = $newArray['app_type'];
        $terminal = $newArray['terminal'];
        $serial_num = $newArray['serial_num'];
        $nms = $newArray['nms'];
        $ckmerchant_num = $newArray['ckmerchant_num'];
        $giftmerchant_num = $newArray['giftmerchant_num'];
        $comments = $newArray['comments'];
    }

    echo '<center>
    <table width="683">
    <tr>
    <td>
    <table class="text" width="683" border="1" bordercolor="green">
    <tr>
    <td align="center">Date Received</td>
    <td colspan="2" align="center">Merchant Name</td>
    <td align="center">Phone Number</td>
    <td align="center">Lease Score</td>
    </tr>
    <tr>
    
    <td align="center" class="output">' . $date_recieved . ' &nbsp;</td>
    <td align="center" colspan="2" class="output">' . $merchant_name  . '&nbsp;</td>
    <td align="center" class="output">' . $phone_num . '&nbsp;</td>
    <td align="center" class="output">' . $lease_score . ' &nbsp;</td>
    </tr>
    
    <tr>
    <td align="center">Application Type</td>
    <td align="center">AMEX</td>
    <td align="center">Discover</td>
    <td align="center">Check Conversion</td>
    <td align="center">Gift & Loyalty</td>
    </tr>
    <tr>
    <td align="center" class="output">' . $app_type . ' &nbsp;</td>
    <td align="center" class="output">' . $amex . ' &nbsp;</td>
    <td align="center" class="output">' . $discover . ' &nbsp;</td>
    <td align="center" class="output">' . $check_conversion . ' &nbsp;</td>
    <td align="center" class="output">' . $gift_loyalty . ' &nbsp;</td>
    </td>
    </tr>
    
    <tr>
    <td align="center">Merchant&nbsp;#:</td>
    <td colspan="2" align="center">Ck Merchant&nbsp;#:</td>
    <td align="center">Gift Merchant&nbsp;#:</td>
    <td align="center">Terminal:</td>
    </tr>
    
    <tr>
    <td align="center" class="output">' . $merchant_num . ' &nbsp;</td>
    <td colspan="2" align="center" class="output">' . $ckmerchant_num . ' &nbsp;</td>
    <td align="center" class="output">' . $giftmerchant_num . ' &nbsp;</td>
    <td align="center" class="output">' . $terminal . ' &nbsp;</td>
    </tr>
    
    <tr>
    <td align="center">Serial#/SiteID/TID:</td>
    <td colspan="2" align="center">DL#/NMS:</td>
    <td align="center">App-ID:</td>
    <td align="center">L/C/R:</td>
    <td bgcolor="green" rowspan="2">&nbsp;</td>
    </tr>
    <tr>
    <td align="center" class="output">' . $serial_num . ' &nbsp;</td>
    <td colspan="2" align="center" class="output">' . $nms . ' &nbsp;</td>
    <td align="center" class="output">' . $app_id . ' &nbsp;</td>
    <td align="center" class="output">' . $purchase_type . ' &nbsp;</td>
    </tr>
    
    <tr>
    <td>Comments</td>
    <td class="output" colspan="3">';
    echo nl2br($comments);
    echo '&nbsp;</td>
    </tr>
    </table>
    </td>
    </tr>
    <tr>
    <td bgcolor="green" colspan="12">&nbsp;</td>
    </tr>
    </table>';
}
else
{
    echo "nothing to display";     
}
?>

Posted: Wed Dec 06, 2006 1:47 pm
by Obadiah
the else still executes automatically and it gives me this as an error
Notice: Use of undefined constant SCRIPT_FILENAME - assumed 'SCRIPT_FILENAME' in C:\Program Files\merchant_locater.php on line 22
i took

Code: Select all

<form method="post" action="' . basename($_SERVER[SCRIPT_FILENAME]) . '">
and changed it to this

Code: Select all

<form method="post" action="' . basename($_SERVER['merchant_locater.php']) . '">
because i figured it you ment to place the name of the actual scriptname or the current file bad move i guess now it gives me
Notice: Undefined index: merchant_locator.php in C:\Program Files\merchant_locater.php on line 22
and the darn button is still being stubborn and not wanting to work at all

Posted: Wed Dec 06, 2006 2:17 pm
by RobertGonzalez
Put single quotes around 'SCRIPT_FILENAME' then reload the page.

Posted: Wed Dec 06, 2006 2:33 pm
by Obadiah
sweet! that removed the error...but the button isnt performing the search...it still acts as though there is no code for it at all

Posted: Wed Dec 06, 2006 3:10 pm
by RobertGonzalez
Make you button a submit. Change

Code: Select all

<input type="button" name="submit" value="Find Merchant"> 
to

Code: Select all

<input type="submit" name="submit" value="Find Merchant"> 

Posted: Wed Dec 06, 2006 3:23 pm
by Obadiah
everah....your a genius...thanks mann:)

much thanks to feyd and space also

Posted: Wed Dec 06, 2006 3:32 pm
by John Cartwright
look carefully at which parameters you are passing mysql_real_escape_string() ;)

Posted: Wed Dec 06, 2006 3:43 pm
by RobertGonzalez
It looks like he's passing the phone number and the connection id, no? :?