开发者

change of status using php and mysql

问答 作者:

I have created a webpage for task management using php, mysql and html. Where i fill out the html page and store it in mysql database. Also, list the task assigned to. I have a dropdown list for status (i.e- new,accepted,rejected,completed). i want to update the change in the status when its done or accepted my user and closed. please help me.

This is the php and mysql script. please let me know if i have done any mistake.

===============================================

<?php

$months= array("jan","feb","mar","apr","may","jun","jul","aug","sep","oct","nov","dec");
$years = array(2010,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020);
$statuses= array("New","Accepted","Rejected","Started","Done","Verified");
if(!empty($_POST["submit"]))
  {
  $taskname =$_POST['taskN'];
  $description = $_POST['desc'];
  $status = $_POST['status1'];
  $firstname = $_POST['fname'];
  $lastname = $_POST['lname'];
  $email = $_POST['email1'];

  $month_task = $_POST['month'];
  $dt=$_POST['date'];
  $year_task=$_POST['year'];
  $dateProposed="$month_task/$dt/$year_task";
  $month=$_POST['month1'];
  $date=$_POST['day'];
  $year=$_POST['year1'];
  $dateCompletion="$month/$date/$year";
  $requestorFN = $_POST['requestorfn'];
  $requestorLN = $_POST['requestorln'];

  $emailAddress = $_POST['email'];
 if(empty($taskname)){$msg .= "You did not enter the title<br />";}
 if(empty($description)){$msg .= "You did not enter the description<br />";}
 if(empty($requestorFN)){$msg .= "You did not enter the name<br />";}
 if(empty($requestorLN)){$msg .= "You did not enter the name<br />";}
 if(empty($emailAddress)){$msg .= "You did not enter the email adreess<br />";}
 if(empty($status)){$msg .= "You did not select a priority<br />";}
 if(empty($dateProposed)){$msg .= "You did not enter the date of submission<br />";}
 if(empty($firstname)){$msg .= "You did not enter the name<br />";}
 if(empty($lastname)){$msg .= "You did not enter the name<br />";}
 if(empty($email)){$msg .= "You did not enter the email address<br />";}
 if(empty($dateCompletion)){$msg .= "You did not enter the completion date";}

if(empty($msg))
 {

  $dbc = mysqli_connect('localhost','divya', 'All4Y0u!', 'ic4d') or die('Error connecting to MySQL server.');


  $query = "INSERT INTO Assign_Tasks (taskname,description ,status,firstname,lastname,email,dateProposed, dateCompletion,requestorFN,requestorLN,emailAddress) "."VALUES ('$taskname','$description','$status','$firstname','$lastname','$email','$dateProposed','$dateCompletion','$requestorFN','$requestorLN', '$emailAddress')";


$result = mysqli_query($dbc, $query) or die('Error querying database.');

mysqli_close($dbc);

}
}
?>

<html>
<head>
<title> Submit Task </title>
</head>
<body>
<form action="#" name="form" method="post">
(*) required fields <br>
<br>
<br>
<br>
Task Title: * <br>
<textarea name="taskN" cols=50 rows=2><?php echo $taskname; ?></textarea>
<br>
<br>
Task Description: *<br>
<textarea name="desc" cols=50 rows=10><?php echo $description; ?></textarea>
<开发者_如何学Pythonbr>
<br>

Priority Level:*<br> <select name="status1">
<option value=""></option >
<?php
for($i=0;$i<count($statuses);$i++)
{
if($status == $statuses[$i]){echo "<option value='{$statuses[$i]}' selected> {$statuses[$i]} </option>";}
 else{echo "<option value='{$statuses[$i]}'> {$statuses[$i]} </option> ";}
 }
?>
</select>
<br>
<br>
First Name:*
<textarea name="fname" cols=30 rows=2><?php echo $firstname; ?></textarea>
<br>
<br>
Last name:*
<textarea name="lname" cols=30 rows=2><?php echo $lastname; ?></textarea>
<br>
<br>

Developer Email:*
<textarea name="email1" cols=30 rows=2><?php echo $email; ?></textarea>
<br>
<br>

Date of Submission: *
<br>
<br>
Month <select name="month">
<option value=""></option >
<?php
for($i=0;$i<count($months);$i++)
{
 if($month_task == $months[$i]){echo "<option value='{$months[$i]}' selected> {$months[$i]} </option >";}
 else{echo "<option value='{$months[$i]}'> {$months[$i]} </option >";}
 }
?>
</select>
Day: <select name="date">
<option value=""></option >
<?php
     for($i=1;$i<=31;$i++)
{
 if($dt == $i){echo "<option value='$i' selected> $i </option >";}
 else{echo "<option value='$i'> $i </option >";}
 }
?>
</select>

Year: <select name="year">
<option value=""></option >
<?php
for($i=0;$i<count($years);$i++)
{
 if($year_task == $years[$i]){echo "<option value='{$years[$i]}' selected> {$years[$i]} </option >";}
 else{echo "<option value='{$years[$i]}'> {$years[$i]} </option >";}
 }
?>
</select>
<br>
<br>
Requested Date of Completion:*
<br>
<br>
Month <select name="month1">
<option value=""></option >
<?php
for($i=0;$i<count($months);$i++)
{
 if($month == $months[$i]){echo "<option value='{$months[$i]}' selected> {$months[$i]} </option >";}
 else{echo "<option value='{$months[$i]}'> {$months[$i]} </option >";}
 }
?>
</select>
Day: <select name="day">
<option value=""></option >
<?php
for($i=1;$i<=31;$i++)
{
 if($date == $i){echo "<option value='$i' selected> $i </option >";}
 else{echo "<option value='$i'> $i </option >";}
 }
?>
</select>
Year: <select name="year1">
<option value=""></option >
<?php
for($i=0;$i<count($years);$i++)
{
 if($year == $years[$i]){echo "<option value='{$years[$i]}' selected> {$years[$i]} </option >";}
 else{echo "<option value='{$years[$i]}'> {$years[$i]} </option >";}
 }
?>
</select>
<br>
<br>
Requestor:*
<textarea name="requestorfn" cols=30 rows=2><?php echo $requestorFN; ?></textarea>
<br>
<br>
Requestor:*
<textarea name="requestorln" cols=30 rows=2><?php echo $requestorLN; ?></textarea>
<br>
<br>

Requestor Email Address:*
<textarea name="email" cols=40 rows=2><?php echo $emailAddress; ?></textarea>
<br>
<br>
<input type="submit" name="submit"  value="Submit">
<input type="reset" onClick="return confirm('Are you sure you want to reset the form?')" value="Reset">
<input type="button" name="Cancel" value="Cancel" onClick="window.location='https://fenris.nws.noaa/dokuwiki/doku.php?id=developer_pages:ic4d_project_pages:main '"/>
</form>
<div id="msg" style="position:absolute;top:200px;left:500px;color:#f00;padding:10px;border:3px solid #f00;display:none;"><?php echo $msg; ?><p><button onclick="document.getElementById('msg').style.display = 'none'">Close</button></div>

<?php
if(!empty($msg)){echo "<script>document.getElementById('msg').style.display = 'block'</script>";}
 ?>

</body>
</html>

The single biggest mistake in your code is that is it is extremely vulnerable to SQL injection flaws. Any user changing one of the POST inputs to a non-SQL safe string will be able to damage your database very easily.

https://stackoverflow.com/search?q=sql+injection

The next biggest issue is that you are not excaping HTML characters in the output, making it trivial to introduce Cross Site Scripting (XSS) attacks.

I highly recommend you read the OWASP Top 10 Security Flaws so you can get an understanding of where you're making basic mistakes.

继续阅读:php

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9