improve code?

Harbinger

this code works great for now...since I am a beginner and am feeling quite good about having my first real working script. but i want to continue to learn and develop on it more..and can't think of where to start.

visit this page: www.sbmac.com/search.php to see what it looks like...i know it's nothing special

here is the code to create it:

<?PHP 
					  $db = mysql_connect("localhost","****","****");
if (!$db) {
    echo "Error: Could not connect to database. Please try again later.";
    exit;
}
mysql_select_db("surplus");

				  $result = mysql_query("select * from surplus");
if (!$result) {
    echo("<p>Error performing query: ".mysql_error()."</p>");
    exit();
}

echo("<br><p><strong>Here is all the surplus in the database:</strong> </p>");
if (mysql_num_rows($result) != 0){
   while ($row = mysql_fetch_array($result)) {
      $surplusid = $row["id"];
      $surplustext = $row["specs"];
      echo("<p><b>#$surplusid</b> $surplustext <br>");
   }    

} else {
   echo("<p>No surplus found</p>");
} 
?>

i had a lot of help from people here, namely "hand" in developing this code...so again thanks to you all!

if you can think of anything...let me know. 🙂

jesus_hairdo

Looks pretty good to me.

I have only 1 suggestion:

Perhaps a little input checking using javascript might be useful. ie if there are no search terms.

That way the user would have to submit, read the message and then click back to try again.

instead of using javascript, print the search box again but print the error message, ie "no search terms" above the input box.

Harbinger

that is actually done here: in the results page...


<?PHP
trim($searchterm);
if (!$searchtype || !$searchterm)
{
	echo"You have not entered search details.  Please go back and try again.";
		exit;
}

$searchtype = addslashes($searchtype);
$searchterm = addslashes($searchterm);

@ $db = mysql_pconnect("localhost","****","****");

if (!$db)
{
	echo "Error: Could not connect to database.  Please try again later.";
	exit;
}

mysql_select_db("surplus");
$query = "select * from surplus where ".$searchtype." like
	'%".$searchterm."%'";
$result = mysql_query($query);
$num_results = mysql_num_rows($result);

echo "<p>Number of items found: ".$num_results."</p>";

for ($i=0; $i <$num_results; $i++)
{
	$row = mysql_fetch_array($result);
	echo "<p><strong>".($i+1).". Type of Machine: ";
	echo htmlspecialchars(stripslashes($row["type"]));
	echo "</strong><br>Year: ";
	echo htmlspecialchars(stripslashes($row["year"]));
	echo "<br>Specs: ";
	echo htmlspecialchars(stripslashes($row["specs"]));
	echo "</p>";
}

?>

planetsim

This probably wont help you make that script better for now. But make it easier if your testing files on your own computer than need to change all the mysql password stuff

make a file called config.inc

then using php

<?php
$host = "hostname";
$user = "username";
$pass = "password";
$db = "database";
?>

Now most things like PHPBB and Vbulletin use a thing like it except more advanced using not just mysql.

Now its simple just include("config.inc");

then in your mysql statements

mysql_connect($host,$user,$pass);
mysql_select_db($db);

Im sure you may wanna add more to that config.inc to save space on other pages.

Harbinger

good idea, thanks~!

128kb_com

I NEVER use the file nameing scheme planetsim is talking about, especially with sensitive info/code - like the username and password to your database.

Some one can easily type in http://www.somehost.whatever/config.inc and get your password. If you are going to use this nameing scheme you'll need to configure your webserver to have php parse all your .inc files so the values wont be printed to screen, but what if you have some other config files with the extension .inc that you dont want mod_php to parse??

The best way to name your file would be config.inc.php and this way you'll have no problems.

planetsim

128kb.com thanks for correcting my error. I was actually meaning that.. just forgot the .php extention on the end.

philipolson

Some random thoughts.

First, your first post looks much better than the code in the 'results page', like that for() loop is nasty! Some other random tips are, consider this:

if (!$result = @mysql_query($sql)) {
    echo "Unable to run query ($sql) : " . mysql_error();
    exit;
}

See how we combined your two statements into one? Also the @ was added because you/we are doing our own error handling so it supresses PHP's error, if that makes sense, and just prints ours. But don't blindly use @ everywhere!

Also, you may find extract() handy for the following reason:

$sql = "SELECT name, email, phone FROM users";
if (!$result = @mysql_query($sql)) {
    echo "Unable to run query ($sql) : " . mysql_error();
    exit;
}

while ($row = mysql_fetch_assoc($result)) {
    extract($row);

print "$name $email $phone";
}

See how nice (and dangerous) that can be? Read the manual page for all the various options extract() provides.

Also, if you just want an associative array use mysql_fetch_assoc instead of mysql_fetch_array() as mysql_fetch_array fetches both numerical and associative by default, which is silly IMHO.

Also, no need for the ()'s with echo, or exit. Just use echo 'foo'; although this is personal preference, I prefer without though 🙂

Also your use of trim() is incorrect, you really want: $a = trim($a) not just trim($a);

And lastly, your search results page only checks for empty search queries as errors, what if I search for: foobarblahblahblah? Oh when I said the use of for() is nasty, I see you did it because you want 0-n printed along side, well, do something along these lines:

if (($count = mysql_num_rows($result)) > 0) {
    echo "You have $count results...";
    $i = 1;
    while ($row = mysql_fetch_assoc($result)) {
        extract($row);
        print "<p>$i : $type : $year : $specs</p>";
        $i++;
    }
} else {
    echo "You have zero results...";
}

Also, I see no reason why you'd need to stripslashes() on data coming from the database, if you have extra slashes in there then that's bad. That would mean you used addslashes() twice before entering it, sometimes this happens when people aren't aware of the power of the PHP directive magic_quotes_gpc as when on it essentially runs addslashes() on all GetPostCookie data. Same applies to your search query.

Also, not sure why htmlspecialchars() would be needed on output either, unless used inside a form element or something, but it won't hurt.

And lastly (no really I mean it), you may not want to spew out mysql_error() or sql queries on a production site if errors happen but instead implement some form of error handling that provides (includes) a static html page instead, with a more user friendly error.

planetsim

continuing philipolson error handling. Look at Devshed.com they have 2very good articles on making your own error handling.