FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


My first PHP + mySQL page - Need feedback





Jamatu
Well i've been looking at some tutorials and this is one of my first scripts. I haven't made it look pretty or anything, that will come after i've got all the basic code sorted out.

It bascially gets the data from the strikes table of the database and outputs it in a html table. It has a search box where users can enter members to search for and has some javascript to validate the text entered. Users can also sort the contents of the table based on members name, number of warning/strikes and the reasons.

Have you got any feedback? How's the layout are there any exploits that I should be aware of such as SQL injection etc?

Code:
<?
include 'config.php';
include 'dbconnect.php';
$srchusr    = $_GET['srchusr']; //Get search string from URL for SQL query
$sortby     = $_GET['sortby'];
$order      = $_GET['order'];
$namesort   = "<a href=\"?sortby=member_name&order=asc\">Name</a>"; //Set defaults for the strings
$warnsort   = "<a href=\"?sortby=member_strikes&order=asc\">No. Warnings</a>";
$reasonsort = "<a href=\"?sortby=member_reasons&order=asc\">Warning reason(s)</a>";

if ($_GET[sortby] == 'member_name' && $_GET[order] == 'asc') //If &sortby is set to asc change the sortby URL
{
   $namesort = "<a href=\"?sortby=member_name&order=desc\">Name</a>";
}
else if ($_GET[sortby] == 'member_strikes' && $_GET[order] == 'asc')
{
   $warnsort = "<a href=\"?sortby=member_strikes&order=desc\">No. Warnings</a>";
}
else if ($_GET[sortby] == 'member_reasons' && $_GET[order] == 'asc')
{
   $reasonsort = "<a href=\"?sortby=member_reasons&order=desc\">Warning reason(s)</a>";
}
?>

<html>
<head>
<title>Mortalis User Strike Page</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<script language="JavaScript">
function CheckSearchString()
{
   var cstring;
   with(window.document.searchbox)
   {
      cstring = srchusr;
   }
   
   if(trim(cstring.value) == '')
   {
      alert('Please enter a members username');
      cstring.focus();
      return false;
   }
   else
   {
      cstring.value = trim(cstring.value);
      return true;
   }
      
   function trim(str)
   {
   return str.replace(/^\s+|\s+$/g,'');
   }
}
</script>
</head>
<body>
<b><center>Database Output</center></b><br><br>
<center>
<form method="get" name="searchbox" id="searchbox" action="<?php echo $_SERVER['PHP_SELF'];?>">
   <input name="srchusr" type="text" id="srchusr">
   <input type="submit" id="send" value="Search members" onclick="return CheckSearchString();">
</form>
<table  border="1" cellspacing="0" cellpadding="3">
   <tr>
      <th scope="col"><? echo "$namesort" ?></th>
      <th scope="col"><? echo "$warnsort" ?></th>
      <th scope="col"><? echo "$reasonsort" ?></th>
   </tr>
</center>

<?
if(isset($_GET[srchusr]) )
{
   if(trim($srchusr) !== '')
   {
      $query = "SELECT member_id,member_name,member_strikes,member_reasons FROM details WHERE member_name='$srchusr'";
   }
   else if(trim($srchusr) == '')
   {
      echo "Please enter a search string<br><br>";
      $query = "SELECT member_id,member_name,member_strikes,member_reasons FROM details ORDER BY member_strikes DESC";
   }
}
else if(isset($_GET[sortby])  && $sortby !== '' && isset($_GET[order]) && $order !== '')
{
   $query = "SELECT member_id,member_name,member_strikes,member_reasons FROM details ORDER BY $sortby $order";
}
else
{
   $query = "SELECT member_id,member_name,member_strikes,member_reasons FROM details ORDER BY member_strikes DESC";
}
$result=mysql_query($query);
$num=mysql_numrows($result);
mysql_close();

if ($num == 0)
{
   echo "No entries found<br><br>";
}
else
{
$rball="<img src=\"red-status.gif\">"; //some variables so we don't have to keep repeating the same code
$gball="<img src=\"green-status.gif\">";
    while($row = mysql_fetch_row($result))
   {
   $id    = $row[0]; //use row names for simplicity
   $name    = $row[1];
   $strikes = $row[2];
   $reasons = nl2br($row[3]); //Convert newlines to <br> to keep layout
?>
   <tr>
      <td><?    echo "$name"; ?></td>
      <td><center><?
      if($strikes == 0)
      {
         echo "$gball$gball$gball";
      }
      if($strikes == 1)
      {
         echo "$rball$gball$gball";
      }
      if($strikes == 2 )
      {
         echo "$rball$rball$gball";
      }
      if($strikes == 3)
      {
         echo "$rball$rball$rball";
      } ?></center></td>      
      <td><? if( $reasons !== '' )
      {
         echo "$reasons";
      }else
      {
         echo "&nbsp"; //If there is no reason set just put a space so the table layout doesn't get messed up
      }?></td>
      
   </tr>
<?
   }
}
?>
</table>
<br>
<center><a href="login.php">Administration Panel</a>
</body>
</html>
AftershockVibe
Haven't got time to have a full proof read but here's a few things you might want to know...

If you are using HTML within echo statements it can save a lot of time and confusion to use double quotes for one and single for another. eg;

echo '<head class="MainHeader">';

That way you don't need to remember to escape \ each HTML quote mark.

Also, if you're ever validating with JavaScript and this data is going to be used for anything important make sure you ALSO VALIDATE in PHP.

While JS is useful for giving quick user feedback, as soon as someone arrives with JS turned off, you validation is turned off as well which can sometimes lead to all sorts of crap being submitted.
Jamatu
Thanks for the tip about using double and single quotes.

About the javascript validation, I also used validation in the PHP code as you said

Code:
else if(trim($srchusr) == '')
   {
      echo "Please enter a search string<br><br>";
      $query = "SELECT member_id,member_name,member_strikes,member_reasons FROM details ORDER BY member_strikes DESC";
   }
n0obie4life
Code:
$srchusr    = $_GET['srchusr']; //Get search string from URL for SQL query
$sortby     = $_GET['sortby'];
$order      = $_GET['order'];


I didn't read through the whole code, but it should be protected by intval,stripslashes, etc.

Example

$order = intval($_GET['order']);
Related topics
PHP, MySQL...
ASP +PHP+MySQL Tutorials
what is your php mysql apache installer package
Need some php/mysql dlls
The Basics (php, mysql etc)
What is useful way in this php+mysql problem?
PHP/Mysql - beginner!
A very good PHP MySQL Tutorial
Setup php,mysql and others...
php, mysql and iis5
 EASY 40 frih$ IF YOU KNOW PHP+MySQL 
Php Mysql security testing
Project to join - php,mysql??
Link PHP/Mysql with Outlook Express
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.