Need help for a query that makes a table to depend of another table to execute.

[co.ador]

The first query is put in an Ul at the left side of the web page that contain three kind of shoes,

HTML Code:

<ul><li>
Sneakers
Dress shoes
Boots</li></ul>

Then the second query presents a table of the sneakers, dress shoes or Boots, or whatever kind you click on the <ul>, in other words the content of the second query will depend on the kind of shoe you choose or click on from the <ul> at the left side of the page similar to the illustration above. Now what I am trying to accomplish is to JOIN the two queries, where whenever a user click on a kind of shoe on the <ul> then it presents all the kinds of that kind in the table which is going to be at the right side of the page containing the second query.

What I have done so far is to create a database with two table one named Shoe_kind and the other Shoe. in both tables I have created a field called kind_id so it can connect together. The first kind of shoe has 8 shoes and all and each shoe has the integer of (1) assigned to its kind_id field, then the second kind of shoe has 8 shoes as well and each shoe has the integer of (2) assigned to its kind_id field, and so on.... but so far I haven't get them connected, what am I missing? so that when a user click on a kind of shoes all the shoes kinds of that specific kind appears according to the relationship they have through the kind_id field.


The question is How can I improve the coding to reach that command?

Help please.

PHP Code:

<?php
if(isset($_GET['shoe'])){
$sel_shoe = $_GET['shoe'];
}else { $sel_shoe = "";
}

?>


<td style="left:2px;" bordercolor="#666666" bgcolor="#ffffff" border="1" width="156"><ul class="shoe"><?php 
   $query = "SELECT * 
              FROM shoe_kind
              ORDER BY position ASC";
  $result = mysql_query($query, $connection);
  if(!$result){
  die("Database query failed: " . mysql_error());
  }
  while($row = mysql_fetch_array($result)){
  echo "<li"; 
  if ($row["kind_id"] == $sel_shoe) {
  echo " class=\"selected\"";
  }
  echo "><a href=\"example1.php?shoe=" . urlencode($row["kind_id"]) ."\">{$row["shoename"]}</a></li>";
  }?></ul> </td>

 <?php $query = "SELECT shoe.shoename, shoe.price, shoe.moreinfo 
FROM shoe
INNER 
JOIN shoe_kind 
ON shoe.kind_id=shoe_kind.kind_id"; 
$result = mysql_query($query, $connection);
while ($row = mysql_fetch_array($result)) {
echo "<table style=\"float:left\">
<td width=\"150\" style=\"text-align:center;\">" . $row['shoename'] . "</td>
<tr>
<td height=\"100\" width=\"100\"   style=\"position:relative;\">
<img src=\"../images/shoesname.jpg\" alt=\"sd\" width=\"97\" height=\"80\"  border=\"1\" style=\"border-color:#FF6600;\" />
</td></tr>
<tr>
<td width=\"5\" height=\"21\" ></td><td>" . $row['price'] . "</td>
</tr>
<td>" . $row['moreinfo'] . "</td>
</table>";
} 
?>

[Cups]

Couple of things.

In your database kind_id is an integer, yes? like, 1,2,3 (not a string as in "1").

This is important.

In terms of security Integers are very easy for PHP to "frisk and cleanse" (int)$kind_id will turn it into an integer, then all you have to do is make sure it is not 0 (zero) and you are assured it is at least a number ( it might be a massive number, but its not going to contain an sql injection string)

Your generated links will be the likes of:

<a href="example1.php?shoe=2">Dress shoes</a>

and lead to: Example1.php

PHP Code:

<?php

// take a good look at what is being sent, 
// comment it out later or delete this line
var_dump( $_GET );

// The query you want is simple

$qry = "SELECT shoename
, price
, moreinfo
FROM shoes 
WHERE 
kind_id = " . (int) $_GET['shoe'] ;

echo $qry ;

?>

[co.ador]

Paul thank you for bearing with me.

It totally worked, I changed the last query and it $_GET the menu. Thank you for the comments it really helped.

PHP Code:

var_dump( $_GET ); 


putting this line in the code was pushing down the <td></td> but I didn't know why, the <ul> in the first query was displaying according to the kind_id field but the two last <td> as I said were being push down by 20 px; but thank that you commented it out and advised to erase that line. when I erased it then it fixed and the two last <td> in the loop were pushed up to it's normal position.

For the purpose of learning why echoing the variable $query below it the query? and what does the $_GET does in this case? does it sent it out and make the ['shoe'] available to the whole file? will I be able to used later on in I want to in the file? What it the Effect behind $_GET in
kind_id = " . (int) $_GET['shoe'] ; or this case?

PHP Code:

<?php $qry = "SELECT shoename
, price
, moreinfo
FROM shoes 
WHERE 


kind_id = " . (int) $_GET['shoe'] ;
?>

Thank you though Paul..

[Cups]

var_dump is a function that you use just for debugging, along with error_reporting - yes it can throw your displays out, but the idea is that you only debug on your development server (localhost, sat in front of you now).

You turn that off, or comment it out before you FTP your files over otherwise it can give out important information to a would-be hacker.

Use this at the very top of your scripts for a while:

PHP Code:

<?php
$debug = true ; //turn off on live server with false

if ( $debug ){

    ini_set( 'display_errors',1 );
    error_reporting(E_ALL);

    echo '<pre>';
    var_dump( $_POST );
    var_dump( $_GET );
    echo '</pre>';

}

// rest of your script down here:


// then - something is not quite right?
// take a close look at the variable

if( $debug ) var_dump( $variable_name );  

?>

And it will splurge out errors with some good detail when you make the most common errors.

I wouldnt say youd use this everywhere, but when starting out, it should help you post succinct and more informed questions here that are more likely to get you a fast answer.


Your original code had these lines at the top;

PHP Code:

if(isset($_GET['shoe'])){
$sel_shoe = $_GET['shoe'];
}else { $sel_shoe = ""; 


While valid, they don't do very much - you could both check shoe was set and typecast it to an integer and then check it was not 0.

I started writing that, but scrubbed it because it did not answer your question.

Imagine your script goes on over a few hundred lines, and you then find this line:

PHP Code:

<?php $qry = "SELECT shoename
, price
, moreinfo
FROM shoes 
WHERE 
kind_id = " . $shoe_id ;
?>

You may well scratch your head and think, "where the hell did that variable come from?"

You may also say to yourself, did I check it yet? Has it been cleansed?

PHP Code:

<?php $qry = "SELECT shoename
, price
, moreinfo
FROM shoes 
WHERE 
kind_id = " . (int) $_GET['shoe'] ;
?>

Whereas what that is, where it came from is pretty obvious.

Or, I have seen things like this done, at the top of your page.

PHP Code:

if( isset( $_GET['shoe']) && (int)$_GET['shoe'] > 0 ){
$cleansed_shoe_id = (int)$_GET['shoe'];
}else { 
// send the user away, invalid request or shoe not selected
} 


This is all a matter of personal preference, and you are free to do what you want, whichever way suits you ( or whichever is easiest to remember ) as long as you are consistent - easier said than done!

What would have helped you sort this out yourself would have been this line:

PHP Code:

if( $debug ) echo $query ; 


and to have pasted that query into PhpMyAdmin and you would have seen this was an sql error and nothing to do with PHP.

[co.ador]

In others words, instead of assigning a "true" to the variable $debug to false, causes to turn off on live server and giving hackers and others intruders a difficult time trying to access the information, right? Excuse me I didn't understood pretty well. bear with me please.

PHP Code:

<?php
$debug = false ; 


if ( $debug ){

    ini_set( 'display_errors',1 );
    error_reporting(E_ALL);

    echo '<pre>';
    var_dump( $_POST );
    var_dump( $_GET );
    echo '</pre>';

}

// rest of your script down here:


// then - something is not quite right?
// take a close look at the variable

if( $debug ) var_dump( $variable_name );  

?>

[Cups]

Yes, you have understood.

It does not mean an attacker will still not gleam any information about your site, it means you will not be freely giving away the things you DO need to know as a developer as you are working away.

What will the exact sql query string be?
Did my POST sanitation work as expected?
Prove it?

Things like that.

There are other ways of doing this, logging and managing errors etc.

[co.ador]

Perfect

What I understand that it is a security method which is secure but not for really advance hackers which can do anything but some how it protects the information.

cool

[Cups]

What I understand that it is a security method which is secure but not for really advance hackers

No, if you checked EVERY incoming variable against a white-list then you would stop them using that particular vector, they would move to another ...

They are defeatable, you just have to outwit them (i.e. educate yourself and think like a cracker!).