PHP function call from form not working
https://stackoverflow.com/questions/1620512
-
06-07-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm trying to call a function from a form within the same .php file, but when the Submit button is hit, the table doesn't get generated.
Here's the code:
<p>
<?php
function selectQuery()
{
$con = mysql_connect("localhost","readonly","");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("mediadb", $con);
$result = mysql_query("SELECT title, director FROM movies WHERE year = '$_POST[year_txt]'");
echo "<table border='1' background='lightgray'>
<tr>
<th>Title</th>
<th>Director</th>
</tr>";
while($row = mysql_fetch_array($result))
{
echo "<tr>";
echo "<td>" . $row['title'] . "</td>";
echo "<td>" . $row['director'] . "</td>";
echo "</tr>";
}
echo "</table>";
mysql_close($con);
}
?>
</p>
<p>
<!-- start of entry form -->
<form action="index.php?action=selectQuery" method="post">
Year: <input type="text" name="year_txt" />
<input type="submit"/>
</form>
<!-- end of entry form -->
</p>
Any idea why this isn't working?
Solution
If you're expecting an integer as a year, get it from the POST superglobal as
$year=(int)$_POST['year_txt'];
And add a parameter to your select function to take the year, then execute how like SanHolo suggested.
BTW, note I cast the variable to an integer (the (int) part) in the example I provided. The code as you have it is a huge security hole. You need to look up data santization, SQL injection, and possibly parameterized prepared statements (check out PDO).
Where you put in $_POST['year_txt'], someone could put ANYTHING straight into your SQL statement... Like, "90;delete from movies where 1;". Check out the SQL statement that would create!
Do not ever print out user supplied input and CERTAINLY don't put it into an SQL command without first checking it for sanity and sanitizing it. If it's a number, cast to int. If you're receiving a string, use preg_replace to filter out any odd characters. You can also use certain PHP filter_var functions - http://php.net/manual/en/function.filter-var.php
OTHER TIPS
I do not see where you actually CALL the function, you only define it. You need to implement a block that reads something like this:
if (isset($_GET['action'])) {
if ('selectQuery' == $_GET['action']) {
selectQuery();
}
}
Okay, here's a rewritten version. Of course it's still not ideal but this should help.
<html>
<head><title>Movies, yo</title></head>
<body>
<?php
$year=(int)$_POST['year_txt'];
function selectQuery($year)
{
$con = mysql_connect("localhost","readonly","");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("mediadb", $con);
$result = mysql_query("SELECT title, director FROM movies WHERE year = $year");
$movie_results=array();
while($row = mysql_fetch_array($result))
{
$movie_results[]=$row;
}
mysql_close($con);
return $movie_results;
}
function print_movies($movie_array)
{ ?>
<table border='1' background='lightgray'>
<tr>
<th>Title</th>
<th>Director</th>
</tr>
<?php
foreach($movie_array as $a_movie)
{ ?>
<tr>
<td><?php echo $a_movie['title'];?></td>
<td><?php echo $a_movie['director'];?></td>
</tr>
<?php
}//end foreach movie_array?>
</table>
<?php
}?>
<p>
<!-- start of entry form -->
<form action="index.php" method="post">
Year: <input type="text" name="year_txt" value='<?php echo $year;?>'/>
<input type='hidden' value='selectQuery' name='action'/>
<input type="submit"/>
</form>
<!-- end of entry form -->
</p>
<?php
if ('selectQuery'==$_POST['action'])
{
if ($year>0)
$movie_results=selectQuery($year);
if(!empty($movie_results))
{
print_movies($movie_results);
}
else
{
echo "No movie was found for $year<br>";
}
}//end if 'year is valid'
else
{
echo "Please enter a valid year<br>";
}
}//end if 'action was selectQuery'
?>
</body>
</html>
