« previous next »
Pages: [1]   Go Down

Author Topic: mysql  (Read 197 times)

swapna

  • Guest
mysql
« on: January 15, 2012, 10:07:09 PM »
Hi All
I am kinda new to php.... I am entering in the website using student id. If student id does not exist in mysql database, it gives me error. That works fine.
But If I try to echo StudentID on 2nd page, it is not displaying anything. Second problem is I want to display student first and last name using StudentID. But it is not displaying anything using StudentID. Why? I have been trying to solve it, but no success  :(
Following is the code for both problems -

PHP Code: [Select]
if(!$db_selected)
{
   die("Can not use".DB_NAME.':'.mysql_err());
}     
@$Stud_ID $_POST['Stud_ID'];
?>


<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
    <link rel="stylesheet" type="text/css" href="ACSDP.css" />
<title>Student Main Page</title>
<head><h1>Welcome to Undergraduate Student Main Page</h1>
</head>
<body>
<form name ="mainpage" method='POST'> 
    <table>   
        <tr>
         <td><label id="Stud_ID2" for="Stud_ID"> Student ID <?php echo "is:" ." ". @$Stud_ID?> </label></td>                         
            <td> <label  id="degree">Degree: Computer Science</label></td>
        </tr>
        <tr>
            <td> <label  id="name"> Student Name:  <?php                 
               $query2 =mysql_query("SELECT Stud_Lastname, Stud_Firstname FROM Student WHERE Stud_ID='$Stud_ID'") or die('wrong query'.mysql_error());
               while($row mysql_fetch_array($query2))
               { 
               echo $row['Stud_Lastname'] . " " $row['Stud_Firstname'];
               }       

Moderator Edit (jSherz): Placed code into PHP tags and then put the statements in bold below:
If have made those statements bold.

PHP Code: [Select]
<?php echo "is:" ." ". @$Stud_ID?>
PHP Code: [Select]
$query2 =mysql_query("SELECT Stud_Lastname, Stud_Firstname FROM Student WHERE Stud_ID='$Stud_ID'") or die('wrong query'.mysql_error());
« Last Edit: January 16, 2012, 11:43:35 AM by jSherz »
Logged

RaythXC

  • PHP Programmer & Web-Designer
  • Expert PHP Helper
  • Senior Member
  • *****
  • Posts: 395
  • Karma: 10
  • Freelance PHP Programmer/Web-Designer
    • View Profile
    • Rayth.Info
Re: mysql
« Reply #1 on: January 15, 2012, 11:16:14 PM »
why do you have @ before the variable?
Logged
RaythXC - My Home Site
Note: most answers I give come from the php manual located at PHP.Net

jSherz

  • Expert PHP Helper
  • Senior Member
  • *****
  • Posts: 409
  • Karma: 4
    • View Profile
    • jSherz.com
Re: mysql
« Reply #2 on: January 16, 2012, 11:46:59 AM »
You should check that the $_POST field is defined first (use the isset function).

PHP Code: [Select]
if(isset($_POST['Stud_ID'])) {
     // You should do some validation on the ID here as well
     $Stud_ID $_POST['Stud_ID'];
} else {
     // Do nothing or display an error
     // You could also set a default value:
     $Stud_ID 0;
}

You're also using a value directly from $_POST without validating or sanitizing it. This leaves you vulnerable to SQL injection. One solution is to use mysql_real_escape_string:

PHP Code: [Select]
if(isset($_POST['Stud_ID'])) {
     // You should do some validation on the ID here as well
     $Stud_ID mysql_real_escape_string($_POST['Stud_ID']);
} else {
     // Do nothing or display an error
     // You could also set a default value:
     $Stud_ID 0;
}
Logged
Looking for PHP tutorials? View mine. Please use code or PHP tags in your posts.
Pages: [1]   Go Up
« previous next »