1

I'm trying to use PHP to pass HTML form data to a MYSQL db and return the data to the browser. By submitting checked permissions (M1,M2,MN1..) i want to display Names of instructors who have those permissions. Now, please tell me what is wrong with the code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head><body>
<form action="akcja.php" method="post">    
<br /><br /><br />
<table>
<tr><th><br/><input type="checkbox" id="check" name="M1" value="M1,">m1</th> 
<th><br/><center><input type="checkbox" id="check" name="M2" value="M2,">m2</center></th> 
<th><br/><center><input type="checkbox" id="check" name="MN1" value="MN1,"> mn1    </center></th> </tr></table>
<input type="submit" name="submit" value="Search Database" />
</form>
</body>
</html>



<?php
$query = mysql_query("SELECT * FROM permissions WHERE m LIKE '".$_POST['M1']."' OR m LIKE '".$_POST['M2']."' OR mn LIKE '".$_POST['MN1']."' ");  
if($query)
    while($permissions = mysql_fetch_assoc($query)){
        $query2 = mysql_query("SELECT name_surname FROM instruktorzy WHERE instruktor_id='".$permissions['instruktor_id']."'");  
        while($Mdwa = mysql_fetch_assoc($query2)){
            echo "<p style=\"font-size: 14px; font-family: Helvetica; background-color: #FFFFFF\"> ".$Mdwa['name_surname']."<br />" ; "</p>" ;
        }
    }
?>
Improve this question
7
  • 3
    Aside from using insecure SQL query building and mysql_ not sure without you saying whats not work. Commented Aug 20, 2012 at 13:31
  • 3
    Don't ever store $_POST variables without sanitizing your data. You are completely open to SQL Injection. Commented Aug 20, 2012 at 13:31
  • 2
    Yea you should use something like: $m2 = isset($_POST['M2']) ? $_POST['M2'] : null to stop E_NOTICE errors like that Commented Aug 20, 2012 at 13:36
  • 2
    Additional info on sanitizing: net.tutsplus.com/tutorials/php/… if ($_POST['m1']) { $conditional .= 'm LIKE ' . sanitize($_POST['m1']); } You need to conditionally build that query. $query = 'SELECT * FROM permissions WHERE m LIKE ' . $conditional; Commented Aug 20, 2012 at 13:39
  • 2
    It may not help answer your question, but you should stop using mysql_* functions. They're being deprecated. Instead use PDO (supported as of PHP 5.1) or mysqli (supported as of PHP 4.1). If you're not sure which one to use, read this article. Commented Aug 20, 2012 at 13:52

2 Answers 2

Reset to default
2

This is how I see a cleaner way of orientating your code. I should note this was just quickly slapped together without any tools so don't copy and paste.

$connection = new PDO('mysql:host=localhost;dbname=db;charset=utf8mb4', 'awesome_user', 'love123');

$query_obj = $connection->prepare("SELECT permissions.*, instruktorzy.name_surname 
    FROM permissions 
    LEFT JOIN instruktorzy ON instruktorzy.instruktor_id = permissions.instruktor_id  
    WHERE permissions.m IN (:m1, :m2) OR permissions.mn LIKE :mn1 LIMIT 100");
$query_obj->setFetchMode(PDO::FETCH_ASSOC);

// You will need something a little more complex here to deal with missing data, 
// I am just putting in what is required to get it working if the 
// entire $_POST is set
$query_obj->bindValue(':m1', isset($_POST['M1']) ? $_POST['M1'] : null);
$query_obj->bindValue(':m2', isset($_POST['M2']) ? $_POST['M2'] : null);
$query_obj->bindValue(':mn1', isset($_POST['MN1']) ? $_POST['MN1'] : null);

$query_obj->execute();

foreach($query_obj as $k => $row){
    echo '<p style="font-size: 14px; font-family: Helvetica; 
        background-color: #FFFFFF"> '.$row['name_surname'].'<br /></p>' ;
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

-2

The below code is a more clean way of doing things. Its been a long time since I used it in this way, but it might help you solve your problem since its probably because you use a queryloop in a queryloop. (not sure but wouldn't hurt if you do it like I did.

$permissions = Array();
$query = mysql_query("SELECT * FROM permissions WHERE m LIKE '" . $_POST['M1'] . "' OR m LIKE '" . $_POST['M2'] . "' OR mn LIKE '" . $_POST['MN1'] . "' ");
if ($query) {
  while ($row = mysql_fetch_assoc($query)) {
    array_push($permissions, $row);
  }
}
foreach ($permissions AS $key => $permission) {
  $query = mysql_query("SELECT name_surname FROM instruktorzy WHERE instruktor_id='" . $permission['instruktor_id'] . "'");
  if ($query) {
    while ($row = mysql_fetch_assoc($query2)) {
      echo "<p style=\"font-size: 14px; font-family: Helvetica; background-color: #FFFFFF\"> ".$Mdwa['name_surname']."<br />" ; "</p>" ;
    }
  }
}
Improve this answer

2 Comments

This script uses up more memory and resources than the verison posted doesn't it?
I don't think it's good practice to execute a query within a loop either.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.