December 3rd, 2013, 11:16 AM
Problem with data fetching from database using session mechanism
i want to fetch rows from database and display them as output on a php scripted web page ...the rows which are the result of the matching entered data in a text box in the form with the table in a database but its somehow not happening....below is some code i use..
1) this is the form ....
2) this is the php code for the form
<form action = "linkpage.php" method = "post">
<input type = "text" name = "from" id = "from"/>
<input type = "text" name = "to" id = "to"/>
$nor=mysql_num_rows(mysql_query("select * from bus where to_here='".$_POST['to']."' and from_here='".$_POST['from']."'"));
$_SESSION['from'] = $_POST['from'];
3) and this is the actual php code through which i want to fetch rows from the database and display as output .....
below is the query which i use in the same php script of above......
$sql = "SELECT id, from_here, to_here, ac, nonac FROM bus WHERE image= '".$_POST['depart']."' AND fair = '".$_POST['return']."'";
when i dont use $_POST and use the typical where clause then it works fine but when i use $_POST then it doesnt work so i think the problem is in my understanding of using sessions and session variables.
December 3rd, 2013, 11:33 AM
I already told you that your way of accessing the database is very wrong and very dangerous. It might be a good idea to take that seriously.
Right now, you're giving the whole world direct access to your database system and possibly the whole server. You need to fix that.
Apart from that, I have a hard time understanding your code. So the third script is searched_bus.php which you redirect to after you've processed the form? Then where are the POST values supposed to come from? You never send data to that script.
December 3rd, 2013, 03:37 PM
I completely agree with Jacques. Fix your security holes before going any farther. Seriously. They will be exponentially harder to fix the more code you write.
Go do it. We'll wait.
That being said, your code in number 3 makes me shudder a bit. Why are you directing traffic based on session contents? That's probably a bad idea, but outside of that, it indicates that you probably have a bad design going. Why load a page that checks session data and then loads a different page? Why not just direct your traffic wherever the session data is being set in the first place? It just seems like this might be indicative of a poor underlying design.
In addition to the security stuff already mentioned (and maybe this has been too) you should not be putting POST values directly in to your queries. Big no-no. At the very least, you should use prepared statements for this. You're opening yourself up to a world of problems. Since POST data is easy to change and spoof, you can't even count on front-end validation for protection.
December 4th, 2013, 12:38 PM
hey first of all thanks for ur response.....................actually i m trying to match the form data with the database ....if the rows containing the data exists in the database then i want to display those rows in my searched_bus.php file .......and i m just a trainee in php......working on a localhost server yet at this time.
the code which i use and as i tried to explain above works but it displays the whole table in the searched_bus.php.......instead i want to display just the rows which are containing the data relevant to which i entered into the form and my form file name is homepage1.php..............i m just confused......but still trying ......i m learning and knowing more things in detail
December 4th, 2013, 12:56 PM
Well, like we already said, you first need to get your database code right and fix the security holes. That's the very first step.
When that's done, you should post your complete code and explain it a bit more. Right now, it doesn't make a lot of sense. You said you want to select database rows based on the values of a form. But instead of simply sending the form data to the target script (searched_bus.php), you send it to some other script (linkpage.php), store some (but not all) form data in the session and then redirect to the actual script. In this script, however, you don't seem to use the session values but instead try to access the original POST values (which no longer exist at this point). Um, what?
Using POST isn't really appropriate here, anyway. This is about fetching data, so you should be using GET.
Comments on this post