My Final Code

jasmith12345

Hello All,
Here's my final code for my database query.... :rolleyes:

Can you tell me what you think?

Everything works, but I'd like to know how to make the results open in another html page with my design.

<?php

// Make a MySQL Connection
mysql_connect("**", "", "") or die(mysql_error());
mysql_select_db("**") or die(mysql_error());

$id = "%".$_GET["search"]."%";

$sid = $_GET["search"];

// Retrieve all the data from the "dampener" table
$result = mysql_query("SELECT * FROM dampener WHERE Press_Model Like '$id'")
or die(mysql_error());

if(empty($sid))

{

echo'<h1>Oooops! You forgot to enter the press model. </H1>';

echo'<p><a href="http://www.mywebsite.com/index.html">Back to Search Page </a></p>';

exit();

}

// Get all the data from the "dampener" table
$result = mysql_query("SELECT * FROM dampener WHERE Press_Model Like '$id'")
or die(mysql_error());

echo "<table border='1'>";
echo "<tr> <th>Press Model</th> <th>Roller Diameter</th> <th>Red 1 Size Form</th> <th>Red 1 Ductor</th> <th>Red 1 Cut Form</th> <th>Red 1 Cut Ductor</th> <th>Red 1 Set</th> <th>Hyton Press</th> <th>Hyton Cut Form</th> <th>Hyton Cut Ductor</th> <th>Hyton Cut Set</th> <th>Red Runner</th> <th>Classic Loop Form</th> <th>Classic Loop Ductor</th> </tr>";

// keeps getting the next row until there are no more to get
while($row = mysql_fetch_array( $result )) {

// Print out the contents of each row into a table
echo "<tr><td><center>"; 
echo $row['Press_Model'];
echo "</td><td><center>"; 
echo $row['Roller_Diameter'];
echo "</td><td><center>"; 
echo $row['Red_1_Size_Form'];
echo "</td><td><center>";
echo $row['Red_1_Ductor'];
echo "</td><td><center>";
echo $row['Red_1_Cut_Form'];
echo "</td><td><center>";
echo $row['Red_1_Cut_Ductor'];
echo "</td><td><center>";
echo $row['Red_1_Set'];
echo "</td><td><center>";
echo $row['Hyton_Press'];
echo "</td><td><center>";
echo $row['Hyton_Cut_Form'];
echo "</td><td><center>";
echo $row['Hyton_Cut_Ductor'];
echo "</td><td><center>";
echo $row['Hyton_Cut_Set'];
echo "</td><td><center>";
echo $row['Red_Runner'];
echo "</td><td><center>";
echo $row['Classic_Loop_Form'];
echo "</td><td><center>";
echo $row['Classic_Loop_Ductor'];
echo "</center></td></tr>";

}

echo'<p><a href="http://www.mywebsite.com/index.html"><font size="4"><<< - Back to Search Page </font></a></p>';

echo "</table>";

dalecosp

Hello, and welcome to PHPBuilder.

First, please put your code in

tags for greater readability and colorized machine parsing.

Second, you didn't sanitize $_GET['search'] before doing a query with it? Dangerous.

Third, echo() is perfectly capable of multi-line arguments.

But, all that said, we've seen much worse around here. Keep coding! 🙂

jasmith12345

Hello dalecosp,
Thanks for your quick response... as most who are here, I am new to php, but because of this awesome forum and people like you I am getting better (slowly).
What do you mean by "sanitize", and why is the way I have it dangerous?
As for the "echo()" and its ability to run multi-line arguments, can you give me an example?
Are you saying rather than have the multiple lines of "echo()" I could included it in one line?
Again, this is how we grow, and I appreciate your help...

jasmith12345

big_nerd

To sanitize, it means that you can't trust what others are putting into the system.

Search up on "SQL Injection" and "XSS" (Cross Site Scripting).

Some examples:

mysql_real_escape_string();


$id = "%".mysql_real_escape_string($_GET["search"])."%";
$sid = mysql_real_escape_string($_GET["search"]); 

// Retrieve all the data from the "dampener" table
$result = mysql_query("SELECT * FROM dampener WHERE Press_Model Like '$id'")
or die(mysql_error());

This will help prevent SQL Injection. Any time you are accepting user input, you will want to escape that input by using mysql_real_escape_string();

If you are accepting an integer only (a number) you can also do:

$id = (int)$_GET['id'];

which will force whatever is accepted to be a number, which will turn a string into the number 1.

echo can handle multi-line input such as:

echo '
<tr><td><center>
 '.$row['Press_Model'].'
</td><td><center>
 '.$row['Roller_Diameter'].'
</td><td><center>
 '.$row['Red_1_Size_Form'].'
</td><td><center>
 '.$row['Red_1_Ductor'].'
</td><td><center>
 '.$row['Red_1_Cut_Form'].'
</td><td><center>
 '.$row['Red_1_Cut_Ductor'].'
</td><td><center>
 '.$row['Red_1_Set'].'
</td><td><center>
 '.$row['Hyton_Press'].'
</td><td><center>
 '.$row['Hyton_Cut_Form'].'
</td><td><center>
 '.$row['Hyton_Cut_Ductor'].'
</td><td><center>
 '.$row['Hyton_Cut_Set'].'
</td><td><center>
 '.$row['Red_Runner'].'
</td><td><center>
 '.$row['Classic_Loop_Form'].'
</td><td><center>
 '.$row['Classic_Loop_Ductor'].'
</center></td></tr>';

OR you can use heredoc style (many lines, accepting variables, etc).

Note: There heredoc syntax means that if you do echo <<<EOL the EOL; must not be indented otherwise it will still be treated as what you wish to echo.

echo <<<EOL
<tr><td><center>
 {$row['Press_Model']}
</td><td><center>
 {$row['Roller_Diameter']}
</td><td><center>
 {$row['Red_1_Size_Form']}
</td><td><center>
 {$row['Red_1_Ductor']}
</td><td><center>
 {$row['Red_1_Cut_Form']}
</td><td><center>
 {$row['Red_1_Cut_Ductor']}
</td><td><center>
 {$row['Red_1_Set']}
</td><td><center>
 {$row['Hyton_Press']}
</td><td><center>
 {$row['Hyton_Cut_Form']}
</td><td><center>
 {$row['Hyton_Cut_Ductor']}
</td><td><center>
 {$row['Hyton_Cut_Set']}
</td><td><center>
 {$row['Red_Runner']}
</td><td><center>
 {$row['Classic_Loop_Form']}
</td><td><center>
 {$row['Classic_Loop_Ductor']}
</center></td></tr>
EOL;

I personally don't use heredoc myself.

Note, I have encapsulated the $row['whatever'] within braces as it tells PHP that it is an array/string (in short - that isnt exactly accurate, but that's the basis).

In addition - I would trim() your input to prevent someone from just searching for a space character.

$id = "%".mysql_real_escape_string(trim($_GET["search"]))."%";
$sid = mysql_real_escape_string(trim($_GET["search"]));

Hope this helps..