#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    9
    Rep Power
    0

    Help with Switch


    Hello to all. I have made a database with 2 tables. The table "unit" and the table "product". So in me first page the user select the unit
    of the product. This unit storing in the table product. In the edit page I want to show the unit that user select selected. My code is:
    PHP Code:
    $ekdresultmysql_query ("SELECT * FROM unit);
    $ekdresult=mysql_query($ekdquery
    or die ("
    Query to get data from firsttable failed".mysql_error());
        while (
    $ekdorow=mysql_fetch_array($ekdresult))                   {$unit=$ekdorow[unit];
    }


    $result = mysql_query ("SELECT FROM product WHERE id "$id");
    while (
    $row=mysql_fetch_array($result))
    {
    $product =$row["product "]; 

    switch(
    $unit)
    {
        case 
    '$product';
        
    $selected_opt '
        <option selected = "selected">' 
    .$product '</option>
        <option >'
    .$unit.'</option>
        '
    ;
        break;
        default;
            
    $selected_opt '
            <option >'
    .$unit.'</option>
            '
    ;
    }

    But my code is wrong. What am I doing wrong; I'm new in php (this is my second program), so please be kind with me.
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,910
    Rep Power
    1045
    Hi,

    you should get accustomed to using the PHP manual when you're not sure about how something works:
    PHP: switch - Manual

    There's also Google and many, many tutorials. Most of them are exceptionally bad, but they tend to at least get the basics right.

    To cut it short: You need a colon after "case ..." and "default", not a semicolon (which terminates a statement).

    Apart from that, there are severe security problems with your code. When you just dump user input into SQL queries and HTML markup, you allow attackers to manipulate the queries and inject JavaScript respectively (known as SQL injections and cross-site scripting).

    So you need to prepare the user input first to make sure it doesn't get interpreted as actual code. In the case of HTML, you need to use htmlentities() to escape special characters like "<". In the case of SQL, you need to use so called "prepared statements", which allow you to safely pass values to SQL queries.

    Note that the old "mysql_" functions do not support prepared statements. These functions are generally obsolete and will die out sooner or later (even though they're still being used by sh*tty tutorials). Choose one of the contemporary database extensions. In your case you can either use PDO or the MySQLi extension.

    This is how you'd rewrite the product query using the PDO interface:

    PHP Code:
    <?php

    // connect to database (put this in a separate file)
    $connection_parameters 'mysql:host=127.0.0.1;dbname=your_db';
    $user 'your_user';
    $password 'your_password';

    try {
        
    $database = new PDO($connection_parameters$user$password);
    } catch (
    PDOException $e) {
        die(
    'Could not connect to database');
    }

    // create prepared statement for query (with ":id" being a parameter)
    $product_statement $database->prepare('
        SELECT
            product
        FROM
            product
        WHERE
            id = :id
    '
    );
    // pass value to :id parameter and execute statement
    $product_statement->execute(array(
        
    'id' => $id
    ));
    // fetch rows
    while ($product_row $product_statement->fetch()) {
        ...
    }
    There are some other issues, but I guess you wanna read the stuff above first.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    9
    Rep Power
    0
    Thank you for your suggestions. I will update my code!

IMN logo majestic logo threadwatch logo seochat tools logo