CODEWITHSUNDEEP
phpmysql
shimaTun
shimaTun

Reputation: 11

the data can't display in the form

about my system the university complaint..stud or staff can use this system to complaint. first user fill the form complaint and submit after submit user can view the complaint.now the problem is the complaint can't display....

this code for user complaint(userCampus.php):

?php  // ------------------------------------------------------PROCESS -------------------------- START. ?>
<?php

     $page_title='userCampus';


     if(isset($_POST['submit'])){

         if($_POST['secname']){
          //$sn=escape_data($_POST['secname']);
          $sn=$_POST['secname'];
         // echo '<br> sn is : ' . $sn;
         }else{
         $sn=FALSE;
         $message .='<p>You forgot to select section name!</p>';      
         }

         if($_POST['subject']){ 
          //$s=escape_data($_POST['subject']);
          $s=$_POST['subject'];
         }else{ 
         $s=FALSE;
         $message .='<p>you forgot to enter subject!</p>'; 
        }

         if($_POST['comment']){
         //$c=escape_data($_POST['comment']);
         $c=$_POST['comment'];
         }else{
         $c=FALSE;
         $message .='<p>you forgot to enter comment!</p>';     
         }

         }

         if($sn && $s && $c ){

             $userid = $_SESSION['username'];
             $groupid = $_SESSION['secname'];



             $query=" INSERT INTO campuscomplaint (secname, subject, comment, nameuser, groupid, userid)" . 
                    " VALUES (" . "'" . $sn . "','" . $s . "','" . $c . "','" . $nameuser . "','" . $groupid . "','" . $userid . "')";
             //echo 'query is : ' . $query . '<br>'; 



             include "connectioncomplaint.php";

             mysql_query($query);
             echo'<p><b></b></p>';
             include('done.php');
             exit();
         }


?>
<?php //------------------------------------------------ PROCESS ------------------------------------ end. ?>   




<form action="<?php echo$_SERVER['PHP_SELF'];?>" method="post">

this code for view the complaint-userView.php(use for other page):

<?php //======================================================================================================================= PROCESS DATA ======================================================= START. 
include "connectioncomplaint.php";
?>
<?php


$userid  = $_GET['userid'];
$secname = $_GET['secname'];
$subject = $_GET['subject'];
$comment = $_GET['comment'];

//echo 'test : ' . $subject;
//Tarik data dari sini 
$queryDetail =  " SELECT * FROM campuscomplaint " . 
               " WHERE subject = '" . $subject . "' AND comment = '" . $comment . "' ";
//echo 'QUERY DETAIL :' . $queryDetail . '<br>' ;

$resultDetail = mysql_query($queryDetail);
//echo 'RESULT DETAIL :' . $resultDetail + 0 . '<br>' ;

$detail = mysql_fetch_array($resultDetail);


//echo $detail . '<br>';
//echo 'detail subject is : ' . $detail['subject'] . '<br>';
//echo 'detail comment is : ' . $detail['comment'] . '<br>';
//echo $detail[$x] . '<br>';

?>

i hope u all can help me....becoz i zero php.......

Upvotes: 1

Views: 208

Answers (4)

Marc B
Marc B

Reputation: 360862

It looks you're not using a primary key on your campuscomplaint table, and using the various data fields as the identifier.

Since you say the data's inserted fine, you have to look at how you're retrieving it:

$userid  = $_GET['userid'];
$secname = $_GET['secname'];
$subject = $_GET['subject'];
$comment = $_GET['comment'];

and then using these as your WHERE clause in the SQL query:

$queryDetail =  " SELECT * FROM campuscomplaint " . 
" WHERE subject = '" . $subject . "' AND comment = '" . $comment . "' ";

For one, this is vulnerable to SQL injection, and any $subject or $comment that contains single quotes will break the query. You are not checking to see if the query succeeded by calling mysql_error() after the mysql_query() call.

Also consider that you're retrieving these record "identifiers" from a GET query. These do have a limited length (different for various browsers). What if someone's comment is 10 kilobytes of data, but the browser will only send 1024 characters? Even if the database query succeeds, it will return no data because the comment fields will never match.

Let's say that the query string is limited to 100 characters (just for example purposes). You generate a list of complaints that looks something like this:

<a href="viewcomplaint.php?userid=7&secname=12&subject=This class sucks!!!&comment=Who hired this professor? He doesn't know anything!!!!">View complaint</a>

Now remember, our query string is limited to 32 characters, so when the user clicks on the link, this is what will be sent to the server:

GET http://www.example.com/viewcomplaint.php?userid=7&secname=12&subject=This class sucks!!!&comment=Who hired this professor? He doesn't know a

and you'll end up with the following "identifiers"

$userid= 7;
$secname = 12;
$subject = "This class sucks!!!";
$comment = "Who hired this professor? He doesn't know a";

Notice how the $comment has been cut off. It will never match what is stored in the database, so your retrieval query will fail. Furthermore, notice that there is a single quote in it (doesn't). Inserting $comment into your query verbatim will now cause an SQL syntax error because of the imbalanced single-quote.

Add an auto_incrementing primary key field to your campuscomplaint table, like this:

ALTER TABLE campuscomplaint ADD id int unsigned not null auto_increment primary key;

and then all your complains can be identified by a single number, and you can retrieve them like this:

$id = (int)$_GET['id']; // force $id to be a number. better than just blindly using the value in a query
$query = "SELECT * FROM campuscomplaint WHERE id = $id;";
$result = mysql_query($query);

if (mysql_error()) {
     // did the query fail? Say why!
     die("MySQL query failed! Error cause: " . mysql_error());
}
etc....

The use of a numeric identifier will easily keep your query string very short (unless the people registering complaints file so many you get up into numbers hundreds or thousands of digits long).

Upvotes: 0

Simon
Simon

Reputation: 23149

one thing, from my experience. if something wrong with your query, just try it on mysql. ran your query in sql, and instead of your variables put some values, so you can easaly see what is your problem.

Upvotes: 2

Syntax Error
Syntax Error

Reputation: 4527

Let's see if we can check everything in on snip of code:

Paste the debugging code right after the line:

$detail = mysql_fetch_array($resultDetail);

Debugging code:


echo '<pre>';
echo '$userid = '.$userid."\n";
echo '$secname = '.$secname."\n\n";
echo 'Query: '.$queryDetail."\n\n";
echo 'Query results:'."\n\n";
print_r($detail);
echo '</pre>';
die();

That should make it clear where your problem is.

Also you should understand why you need to use mysql_real_escape_string() It's very important to make sure people don't do bad things to your website. Never send anything that can be changed by the user (such as GET or POST data) straight to a database without at least using this function. This escapes characters that would otherwise allow them to change your query (making it do something you don't want). To learn more about this google "sql injection attack"

Upvotes: 2

Your Common Sense
Your Common Sense

Reputation: 157989

Looks like you forgot a $ sign before secname and you don't sanitize variables going to the query. So, try make it this way:

<?php    
include "connectioncomplaint.php";    

$userid  = mysql_real_escape_string($_GET['userid']);
$secname = mysql_real_escape_string($_GET['secname']);

//Tarik data dari sini     
$queryDetail = "SELECT * FROM campuscomplaint " .     
               "WHERE userid = '$userid' AND secname = '$secname'";    

$resultDetail = mysql_query($queryDetail) or trigger_error(mysql_error()." in ".$queryDetail);
$detail = mysql_fetch_array($resultDetail);    
?>

Upvotes: 0

Related Questions