SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Wizard co.ador's Avatar
    Join Date
    Apr 2009
    Posts
    1,054
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Need help for a query that makes a table to depend of another table to execute.

    The first query is put in an Ul at the left side of the web page that contain three kind of shoes,
    HTML Code:
    <ul><li>
    Sneakers
    Dress shoes
    Boots</li></ul>
    Then the second query presents a table of the sneakers, dress shoes or Boots, or whatever kind you click on the <ul>, in other words the content of the second query will depend on the kind of shoe you choose or click on from the <ul> at the left side of the page similar to the illustration above. Now what I am trying to accomplish is to JOIN the two queries, where whenever a user click on a kind of shoe on the <ul> then it presents all the kinds of that kind in the table which is going to be at the right side of the page containing the second query.

    What I have done so far is to create a database with two table one named Shoe_kind and the other Shoe. in both tables I have created a field called kind_id so it can connect together. The first kind of shoe has 8 shoes and all and each shoe has the integer of (1) assigned to its kind_id field, then the second kind of shoe has 8 shoes as well and each shoe has the integer of (2) assigned to its kind_id field, and so on.... but so far I haven't get them connected, what am I missing? so that when a user click on a kind of shoes all the shoes kinds of that specific kind appears according to the relationship they have through the kind_id field.


    The question is How can I improve the coding to reach that command?

    Help please.

    PHP Code:
    <?php
    if(isset($_GET['shoe'])){
    $sel_shoe $_GET['shoe'];
    }else { 
    $sel_shoe "";
    }

    ?>


    <td style="left:2px;" bordercolor="#666666" bgcolor="#ffffff" border="1" width="156"><ul class="shoe"><?php 
       $query 
    "SELECT * 
                  FROM shoe_kind
                  ORDER BY position ASC"
    ;
      
    $result mysql_query($query$connection);
      if(!
    $result){
      die(
    "Database query failed: " mysql_error());
      }
      while(
    $row mysql_fetch_array($result)){
      echo 
    "<li"
      if (
    $row["kind_id"] == $sel_shoe) {
      echo 
    " class=\"selected\"";
      }
      echo 
    "><a href=\"example1.php?shoe=" urlencode($row["kind_id"]) ."\">{$row["shoename"]}</a></li>";
      }
    ?></ul> </td>

     <?php $query "SELECT shoe.shoename, shoe.price, shoe.moreinfo 
    FROM shoe
    INNER 
    JOIN shoe_kind 
    ON shoe.kind_id=shoe_kind.kind_id"

    $result mysql_query($query$connection);
    while (
    $row mysql_fetch_array($result)) {
    echo 
    "<table style=\"float:left\">
    <td width=\"150\" style=\"text-align:center;\">" 
    $row['shoename'] . "</td>
    <tr>
    <td height=\"100\" width=\"100\"   style=\"position:relative;\">
    <img src=\"../images/shoesname.jpg\" alt=\"sd\" width=\"97\" height=\"80\"  border=\"1\" style=\"border-color:#FF6600;\" />
    </td></tr>
    <tr>
    <td width=\"5\" height=\"21\" ></td><td>" 
    $row['price'] . "</td>
    </tr>
    <td>" 
    $row['moreinfo'] . "</td>
    </table>"
    ;

    ?>
    Last edited by co.ador; May 10, 2009 at 19:47.

  2. #2
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    Couple of things.

    In your database kind_id is an integer, yes? like, 1,2,3 (not a string as in "1").

    This is important.

    In terms of security Integers are very easy for PHP to "frisk and cleanse" (int)$kind_id will turn it into an integer, then all you have to do is make sure it is not 0 (zero) and you are assured it is at least a number ( it might be a massive number, but its not going to contain an sql injection string)

    Your generated links will be the likes of:

    <a href="example1.php?shoe=2">Dress shoes</a>

    and lead to: Example1.php
    PHP Code:
    <?php

    // take a good look at what is being sent, 
    // comment it out later or delete this line
    var_dump$_GET );

    // The query you want is simple

    $qry "SELECT shoename
    , price
    , moreinfo
    FROM shoes 
    WHERE 
    kind_id = " 
    . (int) $_GET['shoe'] ;

    echo 
    $qry ;

    ?>

  3. #3
    SitePoint Wizard co.ador's Avatar
    Join Date
    Apr 2009
    Posts
    1,054
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Paul thank you for bearing with me.

    It totally worked, I changed the last query and it $_GET the menu. Thank you for the comments it really helped.

    PHP Code:
    var_dump$_GET ); 
    putting this line in the code was pushing down the <td></td> but I didn't know why, the <ul> in the first query was displaying according to the kind_id field but the two last <td> as I said were being push down by 20 px; but thank that you commented it out and advised to erase that line. when I erased it then it fixed and the two last <td> in the loop were pushed up to it's normal position.

    For the purpose of learning why echoing the variable $query below it the query? and what does the $_GET does in this case? does it sent it out and make the ['shoe'] available to the whole file? will I be able to used later on in I want to in the file? What it the Effect behind $_GET in
    kind_id = " . (int) $_GET['shoe'] ; or this case?
    PHP Code:
    <?php $qry "SELECT shoename
    , price
    , moreinfo
    FROM shoes 
    WHERE 


    kind_id = " 
    . (int) $_GET['shoe'] ;
    ?>
    Thank you though Paul..

  4. #4
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    var_dump is a function that you use just for debugging, along with error_reporting - yes it can throw your displays out, but the idea is that you only debug on your development server (localhost, sat in front of you now).

    You turn that off, or comment it out before you FTP your files over otherwise it can give out important information to a would-be hacker.

    Use this at the very top of your scripts for a while:

    PHP Code:
    <?php
    $debug 
    true //turn off on live server with false

    if ( $debug ){

        
    ini_set'display_errors',);
        
    error_reporting(E_ALL);

        echo 
    '<pre>';
        
    var_dump$_POST );
        
    var_dump$_GET );
        echo 
    '</pre>';

    }

    // rest of your script down here:


    // then - something is not quite right?
    // take a close look at the variable

    if( $debug var_dump$variable_name );  

    ?>
    And it will splurge out errors with some good detail when you make the most common errors.

    I wouldnt say youd use this everywhere, but when starting out, it should help you post succinct and more informed questions here that are more likely to get you a fast answer.


    Your original code had these lines at the top;
    PHP Code:
    if(isset($_GET['shoe'])){
    $sel_shoe $_GET['shoe'];
    }else { 
    $sel_shoe ""
    While valid, they don't do very much - you could both check shoe was set and typecast it to an integer and then check it was not 0.

    I started writing that, but scrubbed it because it did not answer your question.

    Imagine your script goes on over a few hundred lines, and you then find this line:


    PHP Code:
    <?php $qry "SELECT shoename
    , price
    , moreinfo
    FROM shoes 
    WHERE 
    kind_id = " 
    $shoe_id ;
    ?>
    You may well scratch your head and think, "where the hell did that variable come from?"

    You may also say to yourself, did I check it yet? Has it been cleansed?


    PHP Code:
    <?php $qry "SELECT shoename
    , price
    , moreinfo
    FROM shoes 
    WHERE 
    kind_id = " 
    . (int) $_GET['shoe'] ;
    ?>
    Whereas what that is, where it came from is pretty obvious.

    Or, I have seen things like this done, at the top of your page.
    PHP Code:
    if( isset( $_GET['shoe']) && (int)$_GET['shoe'] > ){
    $cleansed_shoe_id = (int)$_GET['shoe'];
    }else { 
    // send the user away, invalid request or shoe not selected

    This is all a matter of personal preference, and you are free to do what you want, whichever way suits you ( or whichever is easiest to remember ) as long as you are consistent - easier said than done!

    What would have helped you sort this out yourself would have been this line:

    PHP Code:
    if( $debug ) echo $query 
    and to have pasted that query into PhpMyAdmin and you would have seen this was an sql error and nothing to do with PHP.

  5. #5
    SitePoint Wizard co.ador's Avatar
    Join Date
    Apr 2009
    Posts
    1,054
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    In others words, instead of assigning a "true" to the variable $debug to false, causes to turn off on live server and giving hackers and others intruders a difficult time trying to access the information, right? Excuse me I didn't understood pretty well. bear with me please.

    PHP Code:
    <?php
    $debug 
    false 


    if ( 
    $debug ){

        
    ini_set'display_errors',);
        
    error_reporting(E_ALL);

        echo 
    '<pre>';
        
    var_dump$_POST );
        
    var_dump$_GET );
        echo 
    '</pre>';

    }

    // rest of your script down here:


    // then - something is not quite right?
    // take a close look at the variable

    if( $debug var_dump$variable_name );  

    ?>

  6. #6
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    Yes, you have understood.

    It does not mean an attacker will still not gleam any information about your site, it means you will not be freely giving away the things you DO need to know as a developer as you are working away.

    What will the exact sql query string be?
    Did my POST sanitation work as expected?
    Prove it?

    Things like that.

    There are other ways of doing this, logging and managing errors etc.

  7. #7
    SitePoint Wizard co.ador's Avatar
    Join Date
    Apr 2009
    Posts
    1,054
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Perfect

    What I understand that it is a security method which is secure but not for really advance hackers which can do anything but some how it protects the information.

    cool

  8. #8
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    What I understand that it is a security method which is secure but not for really advance hackers
    No, if you checked EVERY incoming variable against a white-list then you would stop them using that particular vector, they would move to another ...

    They are defeatable, you just have to outwit them (i.e. educate yourself and think like a cracker!).


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •