#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2014
    Posts
    40
    Rep Power
    4

    PHP / HTML Table Odity


    Hi All,

    I am hoping you can help me, I have the PHP Code below:

    PHP Code:
    <?php

    $_SESSION
    ["Category_ID1"] = (int)$_POST["Category_ID1"];
    $id1 $_SESSION["Category_ID1"];
    $_SESSION["Category_ID2"] = (int)$_POST["Category_ID2"];
    $id2 $_SESSION["Category_ID2"];
    echo 
    $id1;
    echo
    "<br>";
    echo 
    $id2;
    echo
    "<br>";
    require_once(
    'db_init.php');

                        
    $con mysqli_connect($DBHOST$DBUSER$DBPASS$DBNAME) or die('Could not connect to database server.');

    if (
    mysqli_connect_errno())
    {
    echo 
    "Failed to connect to MySQL: " mysqli_connect_error();
    }

    $strsql "SELECT c.Client_ID AS Client_ID, c.Title, c.Forenames, c.Surname, c.Company, cc.Client_Category_ID, lc.Category_ID , lc.Category, lc2.Category_ID , lc2.Category FROM tblClient AS c INNER JOIN tblClient_Category AS cc ON cc.Client_ID = c.Client_ID INNER JOIN tblLookUp_Category AS lc ON lc.Category_ID = cc.Category_ID INNER JOIN tblClient_Category AS cc2 ON cc2.Client_ID = c.Client_ID INNER JOIN tblLookUp_Category AS lc2 ON lc2.Category_ID = cc2.Category_ID WHERE cc2.Category_ID = $id1 AND cc.Category_ID = $id2 GROUP BY c.Surname, c.Client_ID ASC";
    //$strsql = "SELECT c.Title, c.Forenames, c.Surname, c.Company, cc.Client_Category_ID, lc.Category_ID , lc.Category FROM tblClient AS c INNER JOIN tblClient_Category AS cc ON cc.Client_ID = c.Client_ID INNER JOIN tblLookUp_Category AS lc ON lc.Category_ID = cc.Category_ID WHERE cc.Category_ID = $id1 GROUP BY c.Surname, c.Client_ID ASC";

    echo $strsql;
    echo
    "<br>";
    $raw_results mysqli_query($con,$strsql);

    if(
    mysqli_num_rows($raw_results) > 0){
    echo 
    "<table border='1'>";
    echo 
    "<tr>";
    echo
    "<th>Edit</th><th>Title</th><th>Forenames</th><th>Surname</th><th>Company</th>";
    echo 
    "</tr>";

    while(
    $results mysqli_fetch_array($raw_results)){
    echo 
    "<tr>";
                
    //echo"<td>";
                //echo"<form action=\"clientframe.php\" method=\"post\" enctype=\"multipart/form-data\" target=\"frame_e\">";
                //echo"<input type=\"hidden\" name=\"Client_ID\" value=".$results['Client_ID'].">";
                //echo"<input style=\"background-color: #4CAF50\" type=\"submit\" value=\"View\">";  
                //echo"</form>";
                //echo"</td>";
    echo "<td>";
    echo 
    $results['Title'];
    echo
    "</td>";
    echo 
    "<td>";
    echo 
    $results['Forenames'];
    echo
    "</td>";
    echo 
    "<td>";
    echo 
    $results['Surname'];
    echo
    "</td>";
    echo 
    "<td>";
    echo 
    $results['Company'];
    echo
    "</td>";
    echo 
    "</tr>";
    }
    echo 
    "</table>";
    }
            else{ 
    // if there is no matching rows do following
                
    echo "No results";
            }

    //mysqli_close($con);
    ?>
    In my web browser it echo's te right values, presents the SQL statement with the variables in place, and looks OK.
    When I view the page source though it's echoing 0's, inserting 0's in the SQL script, and showing "No Results" in the page source.

    Code:
    <!DOCTYPE html>
    <html>
        <head> 
            <title>View Category Contacts</title>
            <link rel="stylesheet" href="nfsdb.css" type="text/css">
        </head>
        <body>
    
    0<br>0<br>
    
    SELECT c.Client_ID AS Client_ID, c.Title, c.Forenames, c.Surname, c.Company, cc.Client_Category_ID, lc.Category_ID , lc.Category, lc2.Category_ID , lc2.Category FROM tblClient AS c INNER JOIN tblClient_Category AS cc ON cc.Client_ID = c.Client_ID INNER JOIN tblLookUp_Category AS lc ON lc.Category_ID = cc.Category_ID INNER JOIN tblClient_Category AS cc2 ON cc2.Client_ID = c.Client_ID INNER JOIN tblLookUp_Category AS lc2 ON lc2.Category_ID = cc2.Category_ID WHERE cc2.Category_ID = 0 AND cc.Category_ID = 0 GROUP BY c.Surname, c.Client_ID ASC<br>No results        
        </body>
    </html>
    This only poses me a problem as I'm currently trying to debug why a clickable "view" button that I had on each line wasn't working, which if the page doesn't think the data is there, then that'd do it.

    But why is this displaying OK to the user in the browser?

    This seems odd, any assistance much apprecaited.

    Many Thanks,
    Graham
  2. #2
  3. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2017
    Location
    Worldwide
    Posts
    30
    Rep Power
    1
    Right off I see that you are missing session_start.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2016
    Posts
    105
    Rep Power
    65
    Are you using Chrome as your 'testing' browser? If so, this is a result of the Chrome developers not being smart enough to be able to show the page source without re-requesting the page. When they make this separate request, they use a get request (you can echo $_SERVER['REQUEST_METHOD'] on your page to see this happening) and no post data is submitted. This doesn't occur if using FireFox, they display the view source of the page that's already in the browser without re-requesting it.

    So, two things -

    1) Don't use Chrome as your testing browser and expect the view source to work with a post method form.

    2) You are determining what will be displayed on the page. You should use a get method form, not a post method form. When using a get method form, this will work as expected in Chrome since the url that gets re-requested contains the form field values and your code will receive the data it expects.

    Edit: Also, using the proper get method will eliminate the need for session variables and make your pages search engine friendly. URL's/URI's should uniquely identify what content a page will display and search engines don't propagate session ids.
    Last edited by DSmabismad; November 29th, 2017 at 03:39 PM.
  6. #4
  7. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2017
    Location
    Worldwide
    Posts
    30
    Rep Power
    1
    EDIT: Deleted incorrect response

    The OP does not have error reporting turned on so he is not seeing that his query that is vulnerable to an SQL Injection Attack is failing. The query depends on variables that are redundant session variables that will not work since he is missing session_start. The whole thing is very poorly written.

    OP, turn on error reporting and ALWAYS have it on when you are developing.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2014
    Posts
    40
    Rep Power
    4
    Thanks for the assistance with this,

    I found a solution workaround this morning - I can' explain it but I've had to use multiple pages to click through and collect the variable, rather than just doing it over one click, so this is what I've ended up with...

    Step one:

    PHP Code:
            <form action="multiplesearch22.php" method="post" enctype="multipart/form-data" target="frame_d" id="usrfrm">
            <?php
            
    require_once('db_init.php');

                        
    $conn mysqli_connect($DBHOST$DBUSER$DBPASS$DBNAME) or die('Could not connect to database server.');
                        
    $sql "SELECT * FROM tblLookUp_Category GROUP BY Category, Category_ID ASC";
                        
                        echo 
    "Choose Category 1: ";
                        
    $result mysqli_query($conn,$sql);
                        echo 
    "<select name=\"Category_ID1\" form=\"usrfrm\">";
                        while (
    $row mysqli_fetch_array($result)) {
                        echo 
    "<option value='" $row['Category_ID'] . "'>" $row['Category'] . "</option>";
                        }
                        echo 
    "</select>";
                        
                        
                    
    ?>
                <input style="background-color: #4CAF50" type="submit" value="Select Category">
    Step two:

    PHP Code:
    <form action="multiplesearch3.php" method="post" enctype="multipart/form-data" target="frame_e" id="usrfrm">
            <?php
            $_SESSION
    ["Category_ID1"] = (int)$_POST["Category_ID1"];
            
    //echo $_SESSION["Category_ID1"];
            
    require_once('db_init.php');

                        
    $conn mysqli_connect($DBHOST$DBUSER$DBPASS$DBNAME) or die('Could not connect to database server.');
                        
    $sql "SELECT * FROM tblLookUp_Category GROUP BY Category, Category_ID ASC";
                        
                        
                        
    $result mysqli_query($conn,$sql);
                        echo 
    "Choose Category 2: ";
                        echo 
    "<select name=\"Category_ID2\" form=\"usrfrm\">";
                        while (
    $row mysqli_fetch_array($result)) {
                        echo 
    "<option value='" $row['Category_ID'] . "'>" $row['Category'] . "</option>";
                        }
                        echo 
    "</select>";
                        
                        
                    
    ?>
                <input style="background-color: #4CAF50" type="submit" value="Select Category">
            </form>
    Step three:

    PHP Code:
            <form action="multiplesearch33.php" method="post" enctype="multipart/form-data" target="frame_e" id="usrfrm">
            <?php
            
            
            
    //$_SESSION["Category_ID1"] = (int)$_POST["Category_ID1"];
            //echo $_SESSION["Category_ID1"];
            //echo "<br>";
            
    $_SESSION["Category_ID2"] = (int)$_POST["Category_ID2"];
            
    //echo $_SESSION["Category_ID2"];
            //echo "<br>";
            
    $id1 $_SESSION["Category_ID1"];
            
    $id2 $_SESSION["Category_ID2"];
            
    //echo $id1;
            //echo "<br>";
            //echo $id2;
            
    ?>
            <input style="background-color: #4CAF50" type="submit" value="Search">
            </form>
    Step 4
    PHP Code:
    <?php

            
    //$_SESSION["Category_ID1"] = (int)$_POST["Category_ID1"];
            //echo $_SESSION["Category_ID1"];
            //echo "<br>";
            //$_SESSION["Category_ID2"] = (int)$_POST["Category_ID2"];
            //echo $_SESSION["Category_ID2"];
            //echo "<br>";
            
    $id1 $_SESSION["Category_ID1"];
            
    $id2 $_SESSION["Category_ID2"];
            
    //echo $id1;
            //echo "<br>";
            //echo $id2;
            
            
    require_once('db_init.php');
            
    $con mysqli_connect($DBHOST$DBUSER$DBPASS$DBNAME) or die('Could not connect to database server.');

            
    if (
    mysqli_connect_errno())
    {
    echo 
    "Failed to connect to MySQL: " mysqli_connect_error();
    }
    $strsql "SELECT c.Client_ID AS Client_ID, c.Title, c.Forenames, c.Surname, c.KnownAs, c.Company, c.Address_line1, c.Address_line2, c.Address_line3, c.Address_Town, c.Address_County, c.Address_Postcode, c.Address_Country, c.Telephone_Primary, c.Telephone_Secondary, c.EMail_Primary, c.Email_Secondary, cc.Client_Category_ID, lc.Category_ID , lc.Category, lc2.Category_ID , lc2.Category FROM tblClient AS c INNER JOIN tblClient_Category AS cc ON cc.Client_ID = c.Client_ID INNER JOIN tblLookUp_Category AS lc ON lc.Category_ID = cc.Category_ID INNER JOIN tblClient_Category AS cc2 ON cc2.Client_ID = c.Client_ID INNER JOIN tblLookUp_Category AS lc2 ON lc2.Category_ID = cc2.Category_ID WHERE cc2.Category_ID = $id1 AND cc.Category_ID = $id2 GROUP BY c.Surname, c.Client_ID ASC";
    $result mysqli_query($con,$strsql);

    echo 
    "<table border='1'>
    <tr>
    <th>Edit</th>
    <th>Title</th>
    <th>Forenames</th>
    <th>Surname</th>
    <th>Company</th>
    </tr>"
    ;

    while(
    $row mysqli_fetch_array($result))
    {
    echo 
    "<tr>";
                 echo
    "<td>";
                echo
    "<form action=\"clientframe.php\" method=\"post\" enctype=\"multipart/form-data\" target=\"frame_e\">";
                echo
    "<input type=\"hidden\" name=\"Client_ID\" value=".$row['Client_ID'].">";
                echo
    "<input style=\"background-color: #4CAF50\" type=\"submit\" value=\"View\">";  
                echo
    "</form>";
                 echo
    "</td>";
    echo 
    "<td>" $row['Title'] . "</td>";
    echo 
    "<td>" $row['Forenames'] . "</td>";
    echo 
    "<td>" $row['Surname'] . "</td>";
    echo 
    "<td>" $row['Company'] . "</td>";
    echo 
    "</tr>";
    }
    echo 
    "</table>";
            
            
    ?>
    I can't explain why this has needed this click-through process to "commit" the variable values as it were, but this has got me out of a sticky spot...

    Many Thanks,
    Graham
  10. #6
  11. Wiser? Not exactly.
    Devshed God 2nd Plane (6000 - 6499 posts)

    Join Date
    May 2001
    Location
    Bonita Springs, FL
    Posts
    6,123
    Rep Power
    4103
    Originally Posted by benanamen
    That is just incorrect, but I am not even going to bother getting into it.
    I'll get into it, to say that it's not really incorrect. A request that just SELECT's data for viewing and doesn't change it in any way should typically be done using a GET request, not a POST. POST is generally for requests that cause a change in data on the server to occur.

    One could argue that the session being changed calls for a POST request. In this particular instance I'd argue why is a session being used at all. It seems unnecessary with the information shown.

    I can't explain why this has needed this click-through process to "commit" the variable values as it were, but this has got me out of a sticky spot...
    Probably because you're trying to do some weird "pass data through the session" setup instead of just passing normal $_GET (or $_POST) parameters and using them directly.

    On a side note, work on cleaning up your code. PHP at the top, HTML at the bottom is a good way to start. Protect yourself from SQL Injection also.

    Code:
    <?php
    require_once('db_init.php');
    $conn = mysqli_connect($DBHOST, $DBUSER, $DBPASS, $DBNAME) or die('Could not connect to database server.');
    $sql = "SELECT * FROM tblLookUp_Category GROUP BY Category, Category_ID ASC";
    $result = mysqli_query($conn,$sql);
    $categoryList = [];
    while ($row = mysqli_fetch_array($result)) {
        $categoryList[] = $row;
    }
    ?>
    <form action="multiplesearch.php" method="get">
    Choose Category 1: <select name="Category_ID1">
    <?php foreach ($categoryList as $category): ?>
        <option value='<?=$category['Category_ID']?>'><?=$category['Category']?></option>
    <?php endforeach; ?>
    </select>
    <br>
    Choose Category 2: <select name="Category_ID2">
    <?php foreach ($categoryList as $category): ?>
        <option value='<?=$category['Category_ID']?>'><?=$category['Category']?></option>
    <?php endforeach; ?>
    </select>
    <input style="background-color: #4CAF50" type="submit" value="Search">
    Code:
    if (isset($_GET['Category_ID1'], $_GET['Category_ID2'])){
    	$id1 = mysqli_real_escape_string($con, $_GET['Category_ID1']);
    	$id2 = mysqli_real_escape_string($con, $_GET['Category_ID2']);
    
    	$strsql = "
    	SELECT c.Client_ID AS Client_ID, c.Title, c.Forenames, c.Surname, c.KnownAs, c.Company, c.Address_line1, c.Address_line2, c.Address_line3, c.Address_Town, c.Address_County, c.Address_Postcode, c.Address_Country, c.Telephone_Primary, c.Telephone_Secondary, c.EMail_Primary, c.Email_Secondary, cc.Client_Category_ID, lc.Category_ID , lc.Category, lc2.Category_ID , lc2.Category 
    	FROM tblClient AS c 
    	INNER JOIN tblClient_Category AS cc ON cc.Client_ID = c.Client_ID 
    	INNER JOIN tblLookUp_Category AS lc ON lc.Category_ID = cc.Category_ID 
    	INNER JOIN tblClient_Category AS cc2 ON cc2.Client_ID = c.Client_ID 
    	INNER JOIN tblLookUp_Category AS lc2 ON lc2.Category_ID = cc2.Category_ID 
    	WHERE 
    		cc2.Category_ID = $id1 
    		AND cc.Category_ID = $id2 
    	GROUP BY 
    		c.Surname, c.Client_ID ASC
    	";
    	$result = mysqli_query($con,$strsql);
    } else {
        die('No categories selected');
    }
    Recycle your old CD's



    If I helped you out, show some love with some reputation, or tip with Bitcoins to 1N645HfYf63UbcvxajLKiSKpYHAq2Zxud
  12. #7
  13. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    May 2017
    Location
    Worldwide
    Posts
    30
    Rep Power
    1
    I'll get into it,
    Yes @kicken, that is correct. I was referring to the OP's code where he is doing an edit. Looking back at the post #3 by @DSmabismad it does say about getting info so no problem. I edited my post to remove the incorrect response.

IMN logo majestic logo threadwatch logo seochat tools logo