Need help for some coding

PHP
1

I’m new to PHP, the following PHP script that i get from phpjabbers.com , I want to do some modification, i dun want it to display out all the record when Emp_No column is empty and also when click the filter button don’t list out all the record as well.

Thanks for help.

<?php
###########################################################

error_reporting(0);
include("config.php");
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Employee Voucher Search</title>
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.7.0/jquery.min.js"></script>
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jqueryui/1.8.16/jquery-ui.min.js"></script>
<link href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/base/jquery-ui.css" rel="stylesheet" type="text/css"/>
<style>
BODY, TD {
	font-family:Arial, Helvetica, sans-serif;
	font-size:12px;
}
</style>
</head>


<body>
<H1><U>Meal Voucher Inquiry System</U></H1><BR>
<form id="form1" name="form1" method="post" action="search2.php">

 <label>Emp No:</label>
<input type="text" name="string" id="string" value="<?php echo stripcslashes($_REQUEST["string"]); ?>" />



<input type="submit" name="button" id="button" value="Filter" />
  </label>
  <a href="search2.php">
  reset</a>
</form>
<br /><br />
<table width="700" border="1" cellspacing="0" cellpadding="4">
  <tr>
    <td width="90" bgcolor="#CCCCCC"><strong>Employee No</strong></td>
    <td width="95" bgcolor="#CCCCCC"><strong>Voucher</strong></td>
    <td width="159" bgcolor="#CCCCCC"><strong>Balance</strong></td>
    <td width="191" bgcolor="#CCCCCC"><strong>ExpDate</strong></td>
    <td width="113" bgcolor="#CCCCCC"><strong>Remark</strong></td>
	<td width="90" bgcolor="#CCCCCC"><strong>Status</strong></td>
  </tr>
<?php
if ($_REQUEST["string"]='') {
	$search_string ='';	
}

if ($_REQUEST["Emp_No"]='') {
	$search_Emp_No = '' ;	
}
	
if ($_REQUEST["string"]<>'') {
	$search_string = " AND (Emp_No LIKE '%".mysql_real_escape_string($_REQUEST["string"])."%' OR Emp_No LIKE '%".mysql_real_escape_string($_REQUEST["string"])."%')";	
}
if ($_REQUEST["Emp_No"]<>'') {
	$search_Emp_No = " AND Emp_No='".mysql_real_escape_string($_REQUEST["Emp_No"])."'";	
}
/*
if ($_REQUEST["from"]<>'' and $_REQUEST["to"]<>'') {
	$sql = "SELECT * FROM ".$SETTINGS["data_table"]." WHERE ExpDate >= '".mysql_real_escape_string($_REQUEST["from"])."' AND ExpDate <= '".mysql_real_escape_string($_REQUEST["to"])."'".$search_string.$search_Emp_No;
} else if ($_REQUEST["from"]<>'') {
	$sql = "SELECT * FROM ".$SETTINGS["data_table"]." WHERE ExpDate >= '".mysql_real_escape_string($_REQUEST["from"])."'".$search_string.$search_Emp_No;
} else if ($_REQUEST["to"]<>'') {
	$sql = "SELECT * FROM ".$SETTINGS["data_table"]." WHERE ExpDate <= '".mysql_real_escape_string($_REQUEST["to"])."'".$search_string.$search_Emp_No;
} */else {
	$sql = "SELECT * FROM ".$SETTINGS["data_table"]." WHERE Emp_No<>''".$search_string.$search_Emp_No;
}





$sql_result = mysql_query ($sql, $connection ) or die ('request "Could not execute SQL query" '.$sql);
if (mysql_num_rows($sql_result)>0) {
	while ($row = mysql_fetch_assoc($sql_result)){
?>
  <tr>
    <td><?php echo $row["Emp_No"]; ?></td>
    <td><?php echo $row["Voucher"]; ?></td>
    <td><?php echo $row["Balance"]; ?></td>
    <td><?php echo $row["ExpDate"]; ?></td>
    <td><?php echo $row["Remark"]; ?></td>
	<td><?php echo $row["Status"]; ?></td>
  </tr>
<?php
	}
} else {
?>
<tr><td colspan="5">No results found.</td>
<?php	
}
?>
</table>

</body>
</html>
2

Hi bclee, welcome to the forums.

That code looks old. It is using deprecated mysql_

You may do better looking for something more up-to-date than spendiing time tweaking that.

3

yes, I’m using mysql server. I just want to do a simple script to inquiry data from mysql database. Can anyone help?

4

I think you misundersood me.

I didn’t mean the code is using MySQL (the database) but that it’s using deprecated mysql_ PHP functions

Maybe not important, but seeing $_REQUEST instead of explicit $_POST or $_GET bothers me some too. Hopefully the code is secure.

Changing to mysqli_ or PDO would be inherently more secure.

In any case, if you’re debugging you should temporarily change
error_reporting(0);
to true so you can see whatever errors there are

5

the code was download from other website, I aslo not familiar with it. I’ve tried modified some part and the record won’t display out when click reset button and display “No result found” . But I filter an Emp_No it also display the same thing, somewhere goes wrong…

<?php

error_reporting(0);
include("config.php");
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Employee Voucher Search</title>
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.7.0/jquery.min.js"></script>
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jqueryui/1.8.16/jquery-ui.min.js"></script>
<link href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/base/jquery-ui.css" rel="stylesheet" type="text/css"/>
<style>
BODY, TD {
	font-family:Arial, Helvetica, sans-serif;
	font-size:12px;
}
</style>
</head>


<body>
<H1><U>Meal Voucher Inquiry System</U></H1><BR>
<form id="form1" name="form1" method="post" action="search.php">

 <label>Emp No:</label>
<input type="text" name="string" id="string" value="<?php echo stripcslashes($_REQUEST["string"]); ?>" />

<input type="submit" name="button" id="button" value="Filter" />
  </label>
  <a href="search.php">
  reset</a>
</form>
<br /><br />
<table width="950" border="1" cellspacing="0" cellpadding="4">
  <tr>
    <td width="90" bgcolor="#CCCCCC"><strong>Voucher No</strong></td>
    <td width="115" bgcolor="#CCCCCC"><strong>Voucher Amount</strong></td>
    <td width="115" bgcolor="#CCCCCC"><strong>Balance Amount</strong></td>
    <td width="85" bgcolor="#CCCCCC"><strong>Expire Date</strong></td>
    <td width="150" bgcolor="#CCCCCC"><strong>Remark</strong></td>
	<td width="190" bgcolor="#CCCCCC"><strong>Status(0=Cancel, 1=Available)</strong></td>
	<td width="190" bgcolor="#CCCCCC"><strong>Created On</strong></td>
  </tr>
<?php


if ($_REQUEST["string"]=' ') {
	$search_string = " AND (Emp_No LIKE '%".mysql_real_escape_string($_REQUEST["string"])."%' OR Emp_No LIKE '%".mysql_real_escape_string($_REQUEST["string"])."%')";	
}

 if ($_REQUEST["string"]<>'') {
	$search_string = " AND (Emp_No LIKE '%".mysql_real_escape_string($_REQUEST["string"])."%' OR Emp_No LIKE '%".mysql_real_escape_string($_REQUEST["string"])."%')";	
}
 if ($_REQUEST["Emp_No"]<>'') {
	$search_Emp_No = " AND Emp_No='".mysql_real_escape_string($_REQUEST["Emp_No"])."'";	
}

else {
	$sql = "SELECT * FROM ".$SETTINGS["data_table"]." WHERE Emp_No<>''".$search_string.$search_Emp_No;
}

$sql_result = mysql_query ($sql, $connection ) or die ('request "Could not execute SQL query" '.$sql);
if (mysql_num_rows($sql_result)>0) {
	while ($row = mysql_fetch_assoc($sql_result)){
?>
  <tr>
    <td><?php echo $row["IDX"]; ?></td>
    <td><?php echo $row["Voucher"]; ?></td>
    <td><?php echo $row["Balance"]; ?></td>
    <td><?php echo $row["ExpDate"]; ?></td>
    <td><?php echo $row["Remark"]; ?></td>
	<td><?php echo $row["Status"]; ?></td>
	<td><?php echo $row["Created_On"]; ?></td>
  </tr>
<?php
	}
} else {
?>
<tr><td colspan="5">No results found.</td>
<?php	
}
?>
</table>
</body>
</html>
6

Yes that is quite a mess with the if else statements. As you are only searching one value it can be greatly simplified. I added two different IF statements depending on if you wish to show all records or only those you’ve searched for. As noted you should move away from mysql_query()

<?php
//Can I assume DB connection is here plus $SETTINGS['data_table'] defined.
$string = (isset($_POST['string']) ? stripcslashes($_POST['string']) :'');
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Employee Voucher Search</title>
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.7.0/jquery.min.js"></script>
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jqueryui/1.8.16/jquery-ui.min.js"></script>
<link href="http://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/base/jquery-ui.css" rel="stylesheet" type="text/css"/>
<style>
BODY, TD {
    font-family:Arial, Helvetica, sans-serif;
    font-size:12px;
}
</style>
</head>


<body>
<H1><U>Meal Voucher Inquiry System</U></H1><BR>
<form id="form1" name="form1" method="post" action="">

 <label>Emp No:</label>
<input type="text" name="string" id="string" value="<?php echo $string; ?>" />
<input type="submit" name="button" id="button" value="Filter" />
  </label>
  <a href="search2.php"> 
  reset</a>
</form>
<br /><br />
<table width="950" border="1" cellspacing="0" cellpadding="4">
  <tr>
    <td width="90" bgcolor="#CCCCCC"><strong>Voucher No</strong></td>
    <td width="115" bgcolor="#CCCCCC"><strong>Voucher Amount</strong></td>
    <td width="115" bgcolor="#CCCCCC"><strong>Balance Amount</strong></td>
    <td width="85" bgcolor="#CCCCCC"><strong>Expire Date</strong></td>
    <td width="150" bgcolor="#CCCCCC"><strong>Remark</strong></td>
	<td width="190" bgcolor="#CCCCCC"><strong>Status(0=Cancel, 1=Available)</strong></td>
	<td width="190" bgcolor="#CCCCCC"><strong>Created On</strong></td>
  </tr> 
<?php
//USE ONE of the following IF statements 

//Use this IF statement to show all records.
//if(isset($_POST['string'])):

//Use this IF statement to show only records based on search.
if(isset($_POST['string']) && !empty($_POST['string'])):

	$search_string = (!empty($_POST['string']) ? " WHERE Emp_No LIKE '%".mysql_real_escape_string($_POST['string'])."%'" : ''); 
	$sql = "SELECT * FROM " . $SETTINGS['data_table'] . $search_string;
	$sql_result = mysql_query ($sql, $connection ) or die ('request "Could not execute SQL query" '.$sql);
	if (mysql_num_rows($sql_result)>0) {
	    while ($row = mysql_fetch_assoc($sql_result)){	
			echo '<tr>
			<td>' . $row['IDX'] . '</td>
			<td>' . $row['Voucher'] . '</td>
			<td>' . $row['Balance'] . '</td>
			<td>' . $row['ExpDate'] . '</td>
			<td>' . $row['Remark'] . '</td>
			<td>' . $row['Status'] . '</td>
			<td>' . $row['Created_On'] . '</td>
			</tr>'."\\r";
	    }
	}else{
		echo '<tr><td colspan="5">No results found.</td>';   
	}
endif;
?>
</table>

</body>
</html>
7

My very first thought is that if the wrong person finds his site, it will be broken into within seconds. I count three serious security holes in this script, and I wasn’t even looking for them. Glad you mentioned this already.

8