views:

292

answers:

3

Guys, I'm trying to call a function from a form within the same .php file, but when the Submit button is hit, the table doesn't get generated.

Here's the code:

<p>
<?php
function selectQuery()
{
    $con = mysql_connect("localhost","readonly","");
    if (!$con)
    {
      die('Could not connect: ' . mysql_error());
    }

    mysql_select_db("mediadb", $con);
    $result = mysql_query("SELECT title, director FROM movies WHERE year = '$_POST[year_txt]'");
    echo "<table border='1' background='lightgray'>
     <tr>
      <th>Title</th>
      <th>Director</th>
     </tr>";

    while($row = mysql_fetch_array($result))
    {
      echo "<tr>"; 
      echo "<td>" . $row['title'] . "</td>";
      echo "<td>" . $row['director'] . "</td>";
      echo "</tr>";
    }
    echo "</table>";
    mysql_close($con);
}
?>
</p>
<p>
<!-- start of entry form -->
<form action="index.php?action=selectQuery" method="post">
Year: <input type="text" name="year_txt" />
<input type="submit"/>
</form>
<!-- end of entry form -->
</p>

Any idea why this isn't working?

Thanks in advance, guys and gals!

+5  A: 

I do not see where you actually CALL the function, you only define it. You need to implement a block that reads something like this:

if ($_GET['action']) {
    if ('selectQuery' == $_GET['action']) {
        selectQuery();
    }
}
Pascal
I took this from an example that showed how to call a function from a form action button, but the function was in a separate file. I though I would be able to do the same, but instead of referencing to a separate file, just replace it with index.php,
TuxMeister
+2  A: 

If you're expecting an integer as a year, get it from the POST superglobal as

$year=(int)$_POST['year_txt'];

And add a parameter to your select function to take the year, then execute how like SanHolo suggested.

BTW, note I cast the variable to an integer (the (int) part) in the example I provided. The code as you have it is a huge security hole. You need to look up data santization, SQL injection, and possibly parameterized prepared statements (check out PDO).

Where you put in $_POST['year_txt'], someone could put ANYTHING straight into your SQL statement... Like, "90;delete from movies where 1;". Check out the SQL statement that would create!

Do not ever print out user supplied input and CERTAINLY don't put it into an SQL command without first checking it for sanity and sanitizing it. If it's a number, cast to int. If you're receiving a string, use preg_replace to filter out any odd characters. You can also use certain PHP filter_var functions - http://php.net/manual/en/function.filter-var.php

Alex JL
Thanks for the security directions. I do realize this would be an issue on a public website, although this is a personal project and will running on my home server. I'm going to be the only one using it. I'm still fighting with the code, though, so if you have any further directions, would me much appreciated. Thanks.
TuxMeister
Sure. I'll post a version that shows more how I'd do it, separating the SQL function from the output and program logic.
Alex JL
A: 

Okay, here's a rewritten version. Of course it's still not ideal but this should help.

<html>
<head><title>Movies, yo</title></head>
<body>

<?php
$year=(int)$_POST['year_txt'];

function selectQuery($year)
  {
  $con = mysql_connect("localhost","readonly","");
  if (!$con)
    {
    die('Could not connect: ' . mysql_error());
    }

  mysql_select_db("mediadb", $con);
  $result = mysql_query("SELECT title, director FROM movies WHERE year = $year");

  $movie_results=array();

  while($row = mysql_fetch_array($result))
   {
   $movie_results[]=$row;
   }

  mysql_close($con);

  return $movie_results;
  }

function print_movies($movie_array)
  { ?>
  <table border='1' background='lightgray'>
    <tr>
     <th>Title</th>
     <th>Director</th>
    </tr>
  <?php
  foreach($movie_array as $a_movie)
    { ?>
    <tr>
     <td><?php echo $a_movie['title'];?></td>
     <td><?php echo $a_movie['director'];?></td>
    </tr>
    <?php
    }//end foreach movie_array?>
  </table>
  <?php
  }?>

<p>
<!-- start of entry form -->
<form action="index.php" method="post">
Year: <input type="text" name="year_txt" value='<?php echo $year;?>'/>
<input type='hidden' value='selectQuery' name='action'/>
<input type="submit"/>
</form>
<!-- end of entry form -->
</p>

<?php

 if ('selectQuery'==$_POST['action'])
  {
  if ($year>0)

$movie_results=selectQuery($year);
    if(!empty($movie_results))
      {
      print_movies($movie_results);
      }
else
      {
      echo "No movie was found for $year<br>";
      }
    }//end if 'year is valid'
  else
    {
    echo "Please enter a valid year<br>";
    }
  }//end if 'action was selectQuery'
?>
</body>
</html>
Alex JL