I have this datatable which gets its data from a server. The problem now is that the database contains a bit more data than i first imagined it would. So for keeping the browser from loading all entries i've created a multiple select list that I will use for only pulling out the essential information.
The input from this list is then matched with what's in the database. The result of that is then stored in $results as can be seen below.
The problem here is that i have no idea how to get the input data, especially if its multiple choice, to go in to the last mysql query which then go into $results.
Later on I use $results for pushing out data to a table. Though as i said it gets a bit crowded in the table when i load all my data into $results.
Everything else is working properly and I get my scopeIDs in my multiple select list.
So, how do I get my selected option/s to go in to
<?php
$results = mysql_query("SELECT * FROM tableID LIKE (/*some cool way of putting the input here*/)";
?>
Complete Code for the task:
///Connection parameters above///
$multiplechoice = mysql_query("SELECT scopeId FROM tableID");
$storeArray = array();
print"<select multiple name=\"scopeValues\" id=\"scopeIdchoice\">";
while ($rowchoice = mysql_fetch_array($multiplechoice, MYSQL_ASSOC)) {
$storeArray = $rowchoice['scopeId'];
print"<option id='".strtolower($storeArray)."'>";
print $storeArray;
print"</option>";
}
<?php
$results = mysql_query("SELECT * FROM tableID LIKE (/*some cool way of putting the input here*/)";
?>
Change the name of the select to scopeValues[].
From the select you will get an array of values in the $_POST array. You might pass that as a list of values to the SQL query like below. You need to adopt the xx_thefield_xxto the proper column name and of course need to do checks against SQL-injection, which are missing for better reading over here.
<?php
$scopeVals = $_POST['scopeValues[]'];
// … remember to sanitize $scopeVals before the next step
$results = mysql_query("SELECT * FROM tableID where xx_thefield_xx in ('" .
implode("','", $scopeVals) . "');";
?>
Because there is more than one value associated with a input now you need to tell the server to store all values in a array (notice the brackets):
name=\"scopeValues[]\"
Then you implode the array and run the SQL. I'll assume that you're POSTing the form data:
$scopeValues = implode(',', $_POST['scopeValues']);
// … remember to sanitize $scopeValues before the query
$results = mysql_query("SELECT * FROM tableID WHERE scopeId IN ($scopeValues) )";
Make sure to sanitize all the values in $scopeValues before interpolating them into the query to protect against SQL Injection. A more secure way would be not to use ext/mysql (it's deprecated anyway) and use PDO or ext/mysqli and use prepared statements.
(Are the IDs strings?)
I don't know if you knew this, but PHP is executed on the server. Requesting your pages goes as follows:
A browser sends a request to your server;
The server executes the PHP;
The server sends the output to the browser;
The browser renders the HTML.
This poses a problem: if you change your selection (which happens in the browser), the PHP has already been executed. It can't magically change its output that got sent to the browser. So to refresh the result, you should make a form and POST the input to the same page, which would check if data had been posted, if it had, output only the selected data, if it hadn't, show everything. If you want to make it a bit more complicated (but more usable too), you could use AJAX to retrieve the results of the select query.
The other answers covered the form already, the AJAX way would be like this:
Have a separate page which SELECTs the data using the POSTed input to filter.
Make an AJAX request (on the page that displays the data) every time the <select> changes.
(Maybe this answer is totally useless to you because you already knew PHP is server-side.)
Related
I have this PHP function which gets some JSON data as an input and stores it in a datatable.
One of the values is a Note value, which obviously can be anything, the user enters.
In order to store this, I came up with a prepared statement that looks something like this:
function InsertIntoTable($user, $note) {
$con = new mysqli(...);
$stmt = $con->prepare("INSERT INTO datatable (UserID, Notes) VALUES (?, ?)");
$stmt->bind_param("ss", $user, $note); //i also tried "mysqli_real_escape_string" on the $note variable but it didn't work: added more backslashes
if($stmt->execute()) {
return "OK";
}
else {
return "Error";
}
$stmt->close();
$con->close();
}
After an insert I usually go into MySQL workbench to check the value and I can see that a row looks like this:
USERID | NOTES
someuserid | \"double quote\"
The insert was successfull, but then, in my javascript based mobile app for example, where I read into the same data table and get the values, I will get the escape slashes at the beginning of the special characters.
If I manually go into MySQL Workbench or phpmyadmin, and insert a row myself, with some note that contains double quotes, then it turns out just fine, the escape characters are no longer there (not even in the database)
So I would like to know, what is the best way to store user notes in the database, where the content can be basically anything, and what's the best way to query them, to get them back in their EXACT form (like how the user inserted it)
LE: Ok, I just tried a trick: in the function I write the following line:
$note = 'this is a "double quote"';
If I run this, it inserts it perfectly, and I can read it perfectly from the mobile app or the web app.
What I get from this, is that the $note value might not arrive correctly to the function (it might already have the escape characters...)
Full PHP code snippet:
<?php header('Content-type: text/html; charset=UTF-8');
$data = json_decode(file_get_contents('php://input'), true);
foreach($data as $item) {
$userid= $item["User"];
$note = $item["Note"];
InsertIntoTable($userid, $note);
}
...
?>
I have a small MySQL database with a few hundred rows (all in text, no images). I am requesting all the rows using iQuery and do all filtering at client end. iQuery code is the following:
$(document).ready( function () {
$.get("alldata.php", function(data){
$('#result').text(data);
});
});
On the server side, the "alldata.php" has the following code and pass the data in JSON back to iQuery:
$sql = "SELECT title FROM mydatabase";
$result = mysqli_query($conn, $sql);
$arr = array();
while($row = mysqli_fetch_assoc($result)){
$row_array['Title'] =$row['title'];
array_push($arr,$row_array);
}
mysqli_close($conn);
echo json_encode($arr);
It seems to me there will not be any risk of injection since there is NO user input submitted to the database. Am I right or wrong? Thanks a lot for your input!
You are right. Your SQL statement includes no parameters outside of itself, so there is no vector for injection. While injection attacks ARE possible on SELECT statements, in your case the query is not created dynamically so cannot be tampered with.
You are safe since there are no user input. A malicious user needs user input to inject query. So never trust user input.
I have two tables: trade and user_pokemon_db
I want to copy a specific rows from user_pokemon_db, when an event occurs.
Html code:
echo "<a href='tradecenter.php' onClick='document.write(".trade($db_id).")' >Put in Trade</a>";
When the user clicks on the link, the php function is called which consists on sql query to copy the row.
$sql = " INSERT INTO trade (trade_id, user_id, pkmn_id, level, exp, health, attack1, attack2, attack3)
SELECT (id, user_id, pkmn_id, level, exp, health, attack1, attack2, attack3)
FROM user_pokemon_db WHERE user_id = '".$id."' AND id = '".$db_id."' ";
Problem maybe due to improper writting of the query.. or maybe due to improper formatting of the href!??
What should I do?
I don't know the content of your php function trade() but it seems that you are confusing javascript and PHP.
Keep in mind that in most of case, once the web page is sent to the user browser, the PHP execution is finished. If you want to do a SQL request after a link click, you need to load a new page or to use something like Ajax to run some PHP code again.
The simplest way to do what you want is to pass the pokemon id as a GET variable (= in the URL)
and check this variable on another page and generate the good SQL query :
echo '<a href="trade.php?pokemon_id='.$id.'" >Trade </a>' ;
And the trade.php would do something like that :
$id = $_GET['pokemon_id'] ; // Be Aware of SQL Injections !!
trade($id);
Have a look at this page for more information about forms : http://www.w3schools.com/php/php_forms.asp
( And if you are using GET or POST variables in your SQL query, be aware of SQL Injections )
If you want to run your PHP function without reloading the page, you should use AJAX. Check this page to understand how it works. A very easy way to use it is to use jQuery
I'm using PHP for a simple Contact Form. I'm trying to generate an unique ID for each form submitted. For example, the first email is #001, the second #002, 3th #003 etc.
I'll use the ID in the autoreply (or autoresponse?) e-mail: "You are the #016 person to make contact.", for example.
Can be with PHP or JavaScript (can it be with JS? I don't know! But I prefer PHP!). But I have no idea about how I can do this.
I'm not using a database.
Since you're (probably) going to store received information in a kind of database, you generate id on insertion into database. Autoincrement ID field should do the trick.
edit: It also sounds reasonable to reuse google forms
You can use php's uniqid() function to generate unique id each time.
Update 1:
It's a very useful function. The probability of generating same id is really minimum. For more information please visit the link
Update 2:
You can use simple text file/csv to store one line at a time to keep track of it. When the user submit the form you generate unique id each time and reply to client and at the same time you store it to a normal text file if you like. Hope this will help.
There are several ways to do this. The most simple of those is to create a file which will store the number of form filled and you can increase its value for each form filled.
Here is the example copied from: Read and write to a file while keeping lock
//Open the File Stream
$handle = fopen("file.txt","r+");
//Lock File, error if unable to lock
if(flock($handle, LOCK_EX)) {
$count = fread($handle, filesize("file.txt")); //Get Current Hit Count
$count = $count + 1; //Increment Hit Count by 1
ftruncate($handle, 0); //Truncate the file to 0
fwrite($handle, $count); //Write the new Hit Count
flock($handle, LOCK_UN); //Unlock File
} else {
echo "Could not Lock File!";
}
//Close Stream
fclose($handle);
I need to write a application that checks database from external server every 10 seconds to see if there is new data. Currently I have a javascript that checks if data has changed server by comparing two JSON (the old JSON and the new fetched from server) and if it has alerts user. But that is not what I need in this application. User should be alerted only when data is new, not when it has changed.
I was thinking that maybe I could do this with a PHP code that queries MYSQL and if query num_results is 0 loop until num_results is more than 0 when user gets notified. In this application it doesn't matter whether the new data is available for user in 0,1 second or 10 seconds, just as long as user gets it. This is how I tried to do the MYSQL check, but it isn't working:
<?php
include 'config.php';
if(isset($_GET['ID'])) {
$maxLoop = 20;
while($maxLoop--) {
$dbh = new PDO("mysql:host=$dbhost;dbname=$dbname", $dbuser, $dbpass);
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
try {
$sth = $dbh->prepare('select * from testit where id = :id');
$sth->bindParam(':id',$_GET['ID'],PDO::PARAM_INT);
$sth->execute();
if($sth->rowCount()>0) {
$results = $sth->fetchAll(PDO::FETCH_OBJ);
echo '{"key":'. json_encode($results) .'}';
exit; // Found new data, end loop and script
}
} catch(PDOException $e) {
break;
}
sleep(3);
} // end while
} // end if
So how can I alter this code to make it work, or should I just try to write some javascript that would do this? And if so, how can I check whether data is new or not, instead of just checking whether it has changed or not?
How do you record 'new' data? is there a timestamp? an auto_increment primary key field?
The easiest method for polling is to simply keep track of the last known id/timestamp and see if there's anything with a higher id/newer timestamp.
As is, your method is quite inefficient. You select ALL records in the table, forcing mysql/pdo to start fetching that data from disk, etc... then simply throw it away after getting the row count. A more efficient method is do to a select count(*) ... and checking that value. This keeps mysql from having to start fetching actual row data from disk. And on some table types (myisam in particular), a count(*) operation is VERY quick.
If you want your application to check for changes every 10 seconds, you will have to use AJAX to make asyncronous requests to a php file on the server. In the php file, you only have to select * from testit where condition=false and you will get your "new data". Here's a link from where you can learn the basics of AJAX :
http://www.w3schools.com/ajax/default.asp