html form and php output

toney85

I have a form that searches a database then outputs the data via php how do I take the info from the radio button and the age range and search the database with it

 <?php
                            $max_age = 18;

                        $ageOptions = "<option value='00'>From</option>\n";
                        for($age=1; $age<=$max_age; $age++)
                        {
                            $ageOptions .= "<option value='{$age}'>{$age}</option>\n";
                        }

              ?>

                        <form name="child_info" action="selectdata.php" method="post"  id="child_info">
                        <table width="444" align="center" >

                            <tr>
                                <td width="208">Choose Male or Female:</td>
                                <td width="224">
                                    <input type="radio" name="gender" value="male" /> Male
                                    <input type="radio" name="gender" value="Female" /> Female
                                </td>
                            </tr>
                            <tr>
                                <td>Choose age range:</td>
                                <td>
                                    <select name="first_age" id="first_age">
                                    <?php echo $ageOptions; ?>
                                    </select>
                                    <select name="second_age" id="second_age">
                                    <?php echo $ageOptions; ?>
                                    </select>
                                </td>
                            </tr>
                            <tr>
                                <td></td>
                                <td>
                                    <div align="right">
                                    <input type="submit" name="submit" id="submit" value="submit" />
                                    <input type="reset" name="reset" id="reset" value="reset" />
                                    </div>
                                </td>
                            </tr>
                        </table>
                        </form>

<?php
$con = mysql_connect("localhost","","");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("", $con);

$query = "SELECT picture_number, first_name, middle_name, first_family_name, second_family_name, DATE_FORMAT(birthdate, '%c-%e-%Y') as birthdate, gender
          FROM child_info ORDER BY picture_number ASC";

$result = mysql_query($query);


if(!$result)
	{
 		echo "There was a problem getting the data";
	}
else if(!$result)
	{
		echo "There were no results";
	}
else
	{
		echo "<b><center>Children to be sponsored</center></b><br><br>\n";
while($row = mysql_fetch_assoc($result))
	{


echo "<table border='1'>
<tr>
<th>Picture Number</th>
<th>First Name</th>
<th>Middle Name</th>
<th>First Family Name</th>
<th>Second Family Name</th>
<th>Birthdate<br> M-D-Y</th>
<th>Gender</th>
</tr>";


  {
		  echo "<tr>";
		  echo "<td>" . $row['picture_number'] . "</td>";
		  echo "<td>" . $row['first_name'] . "</td>";
		  echo "<td>" . $row['middle_name'] . "</td>";
		  echo "<td>" . $row['first_family_name'] . "</td>";
		  echo "<td>" . $row['second_family_name'] . "</td>";
		  echo "<td>" . $row['birthdate'] . "</td>";
		  echo "<td>" . $row['gender'] . "</td>";
		  echo "</tr>";
  }
echo "</table>";
		}
}
mysql_close();
?>

guinbrO

You can simply use $POST. Following your code you could use something like:

$firstAge = $_POST["first_age"];
$secondAge = $_POST["second_age"];

toney85

$firstAge = $POST["first_age"];
$secondAge = $POST["second_age"];
$male = $POST["male"];
$female = $POST["female"];

how do I rewrite this to go with the above =

$query = "SELECT picture_number, first_name, middle_name, first_family_name, second_family_name, DATE_FORMAT(birthdate, '%c-%e-%Y') as birthdate, gender
FROM child_info ORDER BY picture_number ASC";

guinbrO

Use the WHERE clause for a MySQL query. This would be an example, using your query:

$query = "SELECT picture_number, first_name, middle_name, first_family_name, second_family_name, DATE_FORMAT(birthdate, '%c-%e-%Y') as birthdate, gender
FROM child_info WHERE firstAge = '$firstAge' ORDER BY picture_number ASC";

toney85

	
	if(isset($_POST['submit'])) //make sure submit button has been clicked
	{
		$gender = $_POST['gender']; //radio button value
		$first_age = $_POST['first_age']; //dd value
		$second_age = $_POST['second_age']; //dd value
	 	$sql = "SELECT picture_number, first_name, middle_name, first_family_name, second_family_name, DATE_FORMAT(birthdate, '%c-%e-%Y') as birthdate, gender = '$gender' and something_else = '$first_age' and something_else = '$second_age' FROM child_info ORDER BY picture_number ASC";
	}

what about using something like this

guinbrO

Like you, I am a "newbie". I would say give it a go. If it works that's fantastic 🙂. I don't think it will, I believe you will need to use the WHERE clause, and I believe that this would be better practice overall.

Weedpacket

I would strongly recommend not doing this, with a WHERE clause or not, because you have no idea what $_POST['gender'] etc. actually contain. See http://ww.php.net/manual/en/security.database.sql-injection.php for details about the problem.

Get to grips with the [man]PDO[/man] or [man]mysqli[/man] interfaces and their support for prepared statements, and use those instead. (Actually, you should be using those anyway; the old mysql interface only remains for compatibility with existing software and should not be used for new development. See http://www.php.net/manual/en/mysqlinfo.api.choosing.php)

toney85

how would you write this in mysqli

guinbrO

Weedpacket;10999109 wrote:
I would strongly recommend not doing this, with a WHERE clause or not, because you have no idea what $_POST['gender'] etc. actually contain. See http://ww.php.net/manual/en/security.database.sql-injection.php for details about the problem.

Get to grips with the [man]PDO[/man] or [man]mysqli[/man] interfaces and their support for prepared statements, and use those instead. (Actually, you should be using those anyway; the old mysql interface only remains for compatibility with existing software and should not be used for new development. See http://www.php.net/manual/en/mysqlinfo.api.choosing.php)

Hmm good to know, thanks for the heads up. I'll have to do some reading on MySQLi. It's been a while heh.

dlhylton

To retrieve information from a radio button in PHP, check out this link:

MOD EDIT: (Terrible) external link removed.

And then in order to search it, you can then just use its value attribute. If ($value== ), then

I believe that's how it would work.

johanafm

Do NOT use the information provided on the target page of the above poster's link.

dlhylton;10999302 wrote:
To retrieve information from a radio button in PHP, check out this link:

It suggests that you take input and use it without any kind of sanitizing, which means that the end user could send

<script>// This is an xss attack...</script>

which ends up in $_POST['whatever'], which is then echoed to screen. If this is only ever echoed back once to the user posting it, the risk is not as high as if you'd also store the script element and its content and displayed it to anyone viewing the page (for example if this was a comment on a blog or news article).
However, it's still possible to use this weakness by means of tricking an unwary poster into posting this himself.

Regardless of risk, you never ever use any kind of input without properly sanitizing it, which was the point weedpacket tried to make earlier on. And just beause you need different techniques to make something safe for use in db queries and to display them in an HTML page doesn't mean that you can ignore one or the other.