开发者

if(isset($_GET['Submit']))... help

good am. i have a query that needs a value upon submission.. here it is

<?php
$conn = mysql_connect("localhost","root","");

mysql_select_db('irm',$conn);

if(isset($_GET['Submit'])){
$customer_date = $_GET['customer_date'];
}
?>
<?php

$tryshow =" SELECT c.customer_date开发者_如何学Python, c.lastname, c.firstname,
   s.room_number, s.date_in, s.date_out
FROM customers c
    INNER JOIN services s
        ON c.customer_date = s.date_in
 WHERE c.customer_date = '$customer_date'";

$result = @mysql_query($tryshow,$conn)
            or die(mysql_error());

if (mysql_num_rows($result) == 0) {
echo "No rows found, nothing to print...";
}
while($row=mysql_fetch_assoc($result)){ 
?>

i think my problem is that even i submit a date the $customer_date doenst hold any value and thus leading to my no rows found echo...

need some of your advice and thanks in advance hope you can help me soon -renz


I think your quotes are wrong, your query is sending $customer_date instead of the value inside the variable try this:

$tryshow =' SELECT c.customer_date, c.lastname, c.firstname,
   s.room_number, s.date_in, s.date_out
FROM customers c
    INNER JOIN services s
        ON c.customer_date = s.date_in
 WHERE c.customer_date = "'.$customer_date.'"';


Please please learn about quoting/escaping values in mysql because currently your code is subject to SQL injections.


Unrelated to your question, but your code is wide open to SQL injection. You are building your query with user input that is not sanitized in any way. At the very least, you should be using mysql_real_escape_string. I could, with minimal effort, enumerate enough information about your database to stick in a "DROP DATABASE YOUR DB" statement into the querystring, thus deleting all of your data.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜