SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Evangelist
    Join Date
    Feb 2005
    Posts
    452
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Help getting a price from my database

    Hi. I have created a database called europe and a table called eu_place with the following fields and data

    ----------------------------------------------------------------------
    id | country | city | full_price | half_price

    1 | France | Paris | 50 | 50

    2 | Spain | Barcelona | 70 | 85


    Now what I am trying to do is to show a user a price based on the country selected from a drop down list, a city selected from a drop down list and then the user chooses full load price or half load price for that city and it displays the price.

    I have managed to get the user to choose the country and city and I get the user to chooses the full load price or half load price but I think something is not right with my SQL.

    This is the code that calculates the results, not sure if it is to do with the sql statement

    PHP Code:
    if ($load =='full_load'){
    $result=mysql_query("SELECT full_price from eu_place where city = '$subcat' "); }
    else {
    $result=mysql_query("SELECT half_price from eu_place where city = '$subcat' "); } 
    here is all the code

    $cat is the country
    $subcat is the city
    $load is the radio button full load or half load

    Hope someone can help cheers guys, its been tearing my hair out

    PHP Code:
    <?php
    include 'dd.php';
    ?>



    <!doctype html public "-//w3c//dtd html 3.2//en">

    <html>

    <head>
    <title>Demo Multiple drop down list box from plus2net</title>
    </head>

    <body>
    <?php
    $cat
    =$_POST['cat'];
    $subcat=$_POST['subcat'];
    $load=$_POST['load'];
    echo 
    "Value of \$cat = $cat <br>Value of \$subcat = $subcat"."<BR>";
    echo 
    "Value of \$load = $load";


    if (
    $load =='full_load'){ 
    $result=mysql_query("SELECT full_price from eu_place where city = '$subcat' "); }
    else {
    $result=mysql_query("SELECT half_price from eu_place where city = '$subcat' "); }


    echo 
    mysql_error();
    while (
    $row mysql_fetch($result)) {
    echo 
    $row;
    }

    ?>

    </body>

    </html>

  2. #2
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,578
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    The query is OK (but vulnerable to SQL injection attacks), but there is no function called mysql_fetch.

    Try this:

    PHP Code:
    $result mysql_query("SELECT full_price, half_price FROM eu_place WHERE city = '" mysql_real_escape_string($subcat) . "'") or die(mysql_error());
    $row mysql_fetch_array($result);

    if (
    $load == 'full_load') {
      echo 
    $row['full_price'];
    } else {
      echo 
    $row['half_price'];


  3. #3
    SitePoint Evangelist
    Join Date
    Feb 2005
    Posts
    452
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Dan you are a star that works a treat thank for your time much appreciated. What do you mean vulnerable to attacks?

  4. #4
    SitePoint Addict
    Join Date
    Oct 2003
    Location
    United States
    Posts
    281
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The variables inside your query were not escaped. As a result, someone can manipulate your query by writing SQL into your variable.. Search the forums and internet for SQL Injections and read...

    http://phpsec.org/projects/guide/3.html#3.2


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •