Help with Switch - Dev Shed

Dev Shed Forums Sponsor:

December 18th, 2012, 08:32 PM

qwert678

Registered User

Join Date: Dec 2012

Posts: 9

Time spent in forums: 2 h 56 m 31 sec
Reputation Power: 0

PHP5 - Help with Switch

Hello to all. I have made a database with 2 tables. The table "unit" and the table "product". So in me first page the user select the unit
of the product. This unit storing in the table product. In the edit page I want to show the unit that user select selected. My code is:

PHP Code:


		
			
 $ekdresult= mysql_query ("SELECT * FROM unit);

$ekdresult=mysql_query($ekdquery) 

or die ("Query to get data from firsttable failed: ".mysql_error());

    while ($ekdorow=mysql_fetch_array($ekdresult))                   {$unit=$ekdorow[unit];

}



$result = mysql_query ("SELECT * FROM product WHERE id = "$id");

while ($row=mysql_fetch_array($result))

{

$product =$row["product "]; 



switch($unit)

{

    case '$product';

    $selected_opt = '

    <option selected = "selected">' .$product . '</option>

    <option >'.$unit.'</option>

    ';

    break;

    default;

        $selected_opt = '

        <option >'.$unit.'</option>

        ';

}

}

But my code is wrong. What am I doing wrong; I'm new in php (this is my second program), so please be kind with me.

December 19th, 2012, 12:26 AM

Jacques1

pollyanna

Join Date: Jul 2012

Location: Germany

Posts: 1,867

Time spent in forums: 1 Month 2 Weeks 1 Day 22 h 33 m 7 sec
Reputation Power: 813

Hi,

you should get accustomed to using the PHP manual when you're not sure about how something works:
PHP: switch - Manual

There's also Google and many, many tutorials. Most of them are exceptionally bad, but they tend to at least get the basics right.

To cut it short: You need a colon after "case ..." and "default", not a semicolon (which terminates a statement).

Apart from that, there are severe security problems with your code. When you just dump user input into SQL queries and HTML markup, you allow attackers to manipulate the queries and inject JavaScript respectively (known as SQL injections and cross-site scripting).

So you need to prepare the user input first to make sure it doesn't get interpreted as actual code. In the case of HTML, you need to use htmlentities() to escape special characters like "<". In the case of SQL, you need to use so called "prepared statements", which allow you to safely pass values to SQL queries.

Note that the old "mysql_" functions do not support prepared statements. These functions are generally obsolete and will die out sooner or later (even though they're still being used by sh*tty tutorials). Choose one of the contemporary database extensions. In your case you can either use PDO or the MySQLi extension.

This is how you'd rewrite the product query using the PDO interface:

PHP Code:


		
			
<?php



// connect to database (put this in a separate file)

$connection_parameters = 'mysql:host=127.0.0.1;dbname=your_db';

$user = 'your_user';

$password = 'your_password';



try {

    $database = new PDO($connection_parameters, $user, $password);

} catch (PDOException $e) {

    die('Could not connect to database');

}



// create prepared statement for query (with ":id" being a parameter)

$product_statement = $database->prepare('

    SELECT

        product

    FROM

        product

    WHERE

        id = :id

');

// pass value to :id parameter and execute statement

$product_statement->execute(array(

    'id' => $id

));

// fetch rows

while ($product_row = $product_statement->fetch()) {

    ...

}

There are some other issues, but I guess you wanna read the stuff above first.

December 19th, 2012, 07:39 PM

qwert678

Registered User

Join Date: Dec 2012

Posts: 9

Time spent in forums: 2 h 56 m 31 sec
Reputation Power: 0

Thank you for your suggestions. I will update my code!

PHP5 - Help with Switch

Developer Shed Advertisers and Affiliates