Page 2 of 3

Posted: Thu Sep 06, 2007 10:11 am
by SirChick
So would this work on the next page:

$_POST{$soldhousesrow['Price']};

Cos thats from the form not the query.

And I'm not too sure on this part:
Edit your SQL to include the data you need to build the select, and then you'll be able to reference it the way you are.
Could you show me an example and then ill give it a try.

Posted: Thu Sep 06, 2007 6:58 pm
by Stryks
Ok, before you do anything else, have a read of this page.

It's important that you have a good read of it, even if you dont really 'get' it, because all of your problems here seem to relate in some way to arrays and the way you are trying to use them.

As far as the SQL goes, I don't know your database, so I really am flying blind with it. However, assuming you are just attempting to reference an existing database field and have just forgotten to query it, you would change this ...

Code: Select all

$soldhousesquery = "SELECT Price, HouseType FROM soldhouses ORDER BY Price ASC";
to this ...

Code: Select all

$soldhousesquery = "SELECT SoldHouseID, Price, HouseType FROM soldhouses ORDER BY Price ASC";
When this command is executed

Code: Select all

$soldhousesrow = mysql_fetch_array($soldhousesresult)
it will return an array of the fields (columns) relating to a single record (row). When you specify columns to return (between SELECT and FROM) they will be the ONLY values returned.

Now, with the POST array, the way you are trying to access it is wrong on a few different levels. Firstly, to my knowledge, you cannot access an array with the syntax

Code: Select all

$_POST{anything}
Someone may correct me on that, but I don't think so. Direct access to an array element should always be in the form of

Code: Select all

$_POST['something']
As for using a variable as the key for the array, this is possible - with the format

Code: Select all

$key = "something";
echo $_POST[$key]
or even

Code: Select all

echo $_POST[$test['key']]
However, what you are trying to do here

Code: Select all

$_POST{$soldhousesrow['Price']};
is access an array using the wrong format, using a key which by your reckoning would equate to a value, not a key. Worse that that though, the value you are aiming at accessing is not set, because it is not passed to the second page via the form as you suspect.

When you submit a form, the $_POST array will store a series of values in the format "form control name"=>"form control value". Accessed with ...

Code: Select all

$_POST["form_control_name"]
The form you specify has two controls, "houselist" and "buy", as shown when you var_dump the post value.
array(2) { ["houselist"]=> string(0) "" ["Buy"]=> string(9) "Buy House" }
So, accessing $_POST, you only have access to "houselist" and "Buy". You can add hidden fields to your form to carry the extra data across, or you can fix the SQL as shown above, and use the SoldHouseID stored as a value in the form as "houselist" and run a second query on the second page to get access to the extended data.

I've tried to lay this all out as simply as I can without actually rewriting your code for you. I hope it helps.

Posted: Sat Sep 08, 2007 9:20 am
by SirChick
Right i think i understand you.

I have tried a new attempt at this but im still getting House ID cannot be found. I think its my $_POST call up on the second page that is incorrect.... but not entirely too sure... this is what i have changed it to...
I changed the query on the form like you said and done a post call for "houselist" which is the select name... would that be correct? Or should i post call some other value from the form ?

Code: Select all

<form name="Form1" method="POST" action="housepurchaseprocess.php" enctype="multipart/form-data" id="Form1" onsubmit="return ValidateForm1(this)">

<?php
//generates a list box to display the rows of available houses in the soldhouses table depending on which one the user clicks on then clicks buy will be "should be" the one that goes to the session
$soldhousesquery = "SELECT SoldHouseID, Price, HouseType FROM soldhouses ORDER BY Price ASC";
$soldhousesresult = @mysql_query($soldhousesquery) or die(mysql_error());


echo '<select name="houselist" size=10>">';

while($soldhousesrow = mysql_fetch_array($soldhousesresult)) {
        echo "<option value=\"{$soldhousesrow['SoldHouseID']}\">£ {$soldhousesrow['Price']} - {$soldhousesrow['HouseType']}</option>";
		}

echo '</select>';


?>
</div>
<input type="submit" id="Button2" name="Buy" value="Buy House" style="position:absolute;left:350px;top:600px;width:184px;height:24px;z-index:20">
</form>
Process page:

Code: Select all

$HouseId = $_POST['houselist'];

$GetHouseInfo = mysql_query("SELECT * FROM soldhouses WHERE SoldHouseID='$HouseID'");
// Fetch the row from the database
if (!($gethouseinforow = mysql_fetch_assoc($GetHouseInfo))) {
    echo "House ID not found!";
    exit;
	echo mysql_error();
}

Posted: Sat Sep 08, 2007 9:38 am
by josa
It looks correct but I think it's a good idea to look inside the $_POST array and see what it actually contains. Place this code somewhere in housepurchaseprocess.php:

Code: Select all

echo '<pre>';
var_dump($_POST);
echo '</pre>';
/josa

Posted: Sat Sep 08, 2007 10:32 am
by SirChick
array(2) {
["houselist"]=>
string(1) "1"
["Buy"]=>
string(9) "Buy House"
}

House ID not found!


thats the result, not entirely sure what it means with the sting(1) "1" .

Could that be the ID?

Posted: Sat Sep 08, 2007 11:33 am
by josa
Yes, that is what gets posted from the form.

"houselist" => string(1) "1"
  • "houselist" is the array key and this key is what you use when you write $_POST['houselist'].
  • string(1) tells us that the value for that key is of type string with the length of one (1).
  • "1" is the value. In this case the house id.
Next step is to look at the query and see if there is something wrong with that. If you do like this...

Code: Select all

$sql = "SELECT * FROM soldhouses WHERE SoldHouseID='$HouseID'";
echo $sql;
$GetHouseInfo = mysql_query($sql);
...
...you can see exactly how the query looks like. You can then cut and paste it into phpMyAdmin for example and see what happens.

/josa

Posted: Sat Sep 08, 2007 11:59 am
by SirChick
Hmmm if you say the "1" is the value of house id... the query is showing "0"

array(2) {
["houselist"]=>
string(1) "1"
["Buy"]=>
string(9) "Buy House"
}

SELECT * FROM soldhouses WHERE SoldHouseID='0'House ID not found!

So could that mean that String(1) "1"


is not houseID but infact something like the item position? Example:

1 cottage - 50000
2 apartment - 10000

and because i picked cottage the item is 1 as in option one ? instead of the house ID?

Posted: Sat Sep 08, 2007 12:17 pm
by josa
Oh, I missed a detail. Variables in PHP are case sensitive. $HouseID in your query should be $HouseId. You should also consider converting the posted variable to an integer to prevent sql injection.

Code: Select all

$HouseId = intval($_POST['houselist']);
/josa

Posted: Sat Sep 08, 2007 12:38 pm
by SirChick
the user does not type anything though they just select an option. so they cant type an SQL injection....


Hmm im getting this now :
1 (this 1 is coming from Echo $HouseID; as show in below code, suggesting the HouseID now does work)

Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in C:\xampp\htdocs\housepurchaseprocess.php on line 20
House ID not found!

Code:

Code: Select all

$HouseID = $_POST['houselist'];
Echo $HouseID;
$sql = "SELECT * FROM soldhouses WHERE SoldHouseID='$HouseID'";
if (!($gethouseinforow = mysql_fetch_assoc($sql))) {
    echo "House ID not found!";
    exit;
	echo mysql_error();
}

Posted: Sat Sep 08, 2007 12:52 pm
by josa
You forgot to send the query to the database. The echo $sql part was for debugging so we can remove that now.

Code: Select all

$HouseID = intval($_POST['houselist']);
$sql = "SELECT * FROM soldhouses WHERE SoldHouseID='$HouseID'";
$GetHouseInfo = mysql_query($sql);
if (!($gethouseinforow = mysql_fetch_assoc($GetHouseInfo))) {
    echo "House ID not found!";
    exit;
        echo mysql_error();
}
As for sql injection you have to consider that not all clients are plain web browsers. You should always assume the client can send anything in a form post, not just what you explicitly allow.

/josa

Posted: Sat Sep 08, 2007 12:57 pm
by SirChick
Oh right ok ill deal with injections a bit later on then,,,,,



So just to add.... for the fields to be called do i just do:

$HouseType = $gethouseinforow['HouseType'];
$HousePrice = $gethouseinforow['Price'];
$NumberOfRooms = $gethouseinforow['RoomTotal'];

or is it $bleh = $gethouseinfo['fieldname']; ?

Posted: Sun Sep 09, 2007 1:02 am
by Stryks
I don't really remember why now, but when I first started out with databases, I was told to try and avoid doing wildcard selects, like

Code: Select all

$sql = "SELECT * FROM soldhouses WHERE SoldHouseID='$HouseID'";
I think it had to do with being a waste of resources, pulling back all data instead of just the data needed. I dont know how good an argument that is, but as for how my style has developed, I always specify the columns to be returned simply because it's a good lookup. When I see

Code: Select all

$soldhousesquery = "SELECT SoldHouseID, Price, HouseType FROM soldhouses ORDER BY Price ASC";
I just know that when attempting to pull data from the result set, I can access $result['SoldHouseID'], $result['Price'], and $result['HouseType'] without needing to jump out of my current view to make sure I got the names right.

To give a bit of insight into what you are pulling back (and thus what and how you can access it), insert this at the end of the code you posted.

Code: Select all

    echo "You have access to:<br><br>";
    foreach($gethouseinforow as $key=>$value) echo "<strong>\$gethouseinforow['$key']</strong> &nbsp; = $value<br>";
The part in bold is what you would use to access the data, and the rest is the value being returned for that column.

If it helps you with checking out data from forms, it will also work on the form recipient page.

Code: Select all

    echo "You have access to:<br><br>";
    foreach($_POST as $key=>$value) echo "<strong>\$_POST['$key']</strong> &nbsp; = $value<br>";
Hope this helps.

Posted: Sun Sep 09, 2007 1:14 am
by Stryks
Oh ... and to answer your question, $gethouseinfo is just a reference to the database resource.

Code: Select all

echo $gethouseinfo
... should give you something like ...
Resource id #2
As per your query method, you can only access results with $gethouseinforow, however, if you wanted to ...

Code: Select all

$bleh = $gethouseinforow['fieldname'];
... theres no reason why you couldn't, assuming 'fieldname' was the key of a returned value.

8)

Posted: Sun Sep 09, 2007 9:08 am
by SirChick
You have access to:

$gethouseinforow['SoldHouseID'] = 1
$gethouseinforow['Price'] = 50000
$gethouseinforow['HouseType'] = Cottage
$gethouseinforow['NumberOfRooms'] = 3



Ok that worked a treat.




Thanks for all your help.

Posted: Mon Sep 10, 2007 6:06 am
by Olga123
You'd better ask a professional to do it, may be something is wrong with the database.