ansaurus

Question

Answer 1

+5 A:

I do not see where you actually CALL the function, you only define it. You need to implement a block that reads something like this:

if ($_GET['action']) {
    if ('selectQuery' == $_GET['action']) {
        selectQuery();
    }
}

Pascal 2009-10-25 10:17:22

I took this from an example that showed how to call a function from a form action button, but the function was in a separate file. I though I would be able to do the same, but instead of referencing to a separate file, just replace it with index.php,

TuxMeister 2009-10-25 10:24:15

Answer 2

+2 A:

If you're expecting an integer as a year, get it from the POST superglobal as

$year=(int)$_POST['year_txt'];

And add a parameter to your select function to take the year, then execute how like SanHolo suggested.

BTW, note I cast the variable to an integer (the (int) part) in the example I provided. The code as you have it is a huge security hole. You need to look up data santization, SQL injection, and possibly parameterized prepared statements (check out PDO).

Where you put in $_POST['year_txt'], someone could put ANYTHING straight into your SQL statement... Like, "90;delete from movies where 1;". Check out the SQL statement that would create!

Do not ever print out user supplied input and CERTAINLY don't put it into an SQL command without first checking it for sanity and sanitizing it. If it's a number, cast to int. If you're receiving a string, use preg_replace to filter out any odd characters. You can also use certain PHP filter_var functions - http://php.net/manual/en/function.filter-var.php

Alex JL 2009-10-25 10:27:00

Thanks for the security directions. I do realize this would be an issue on a public website, although this is a personal project and will running on my home server. I'm going to be the only one using it. I'm still fighting with the code, though, so if you have any further directions, would me much appreciated. Thanks.

TuxMeister 2009-10-25 11:05:58

Sure. I'll post a version that shows more how I'd do it, separating the SQL function from the output and program logic.

Alex JL 2009-10-25 12:46:26

Answer 3

A:

Okay, here's a rewritten version. Of course it's still not ideal but this should help.

<html>
<head><title>Movies, yo</title></head>
<body>

<?php
$year=(int)$_POST['year_txt'];

function selectQuery($year)
  {
  $con = mysql_connect("localhost","readonly","");
  if (!$con)
    {
    die('Could not connect: ' . mysql_error());
    }

  mysql_select_db("mediadb", $con);
  $result = mysql_query("SELECT title, director FROM movies WHERE year = $year");

  $movie_results=array();

  while($row = mysql_fetch_array($result))
   {
   $movie_results[]=$row;
   }

  mysql_close($con);

  return $movie_results;
  }

function print_movies($movie_array)
  { ?>
  <table border='1' background='lightgray'>
    <tr>
     <th>Title</th>
     <th>Director</th>
    </tr>
  <?php
  foreach($movie_array as $a_movie)
    { ?>
    <tr>
     <td><?php echo $a_movie['title'];?></td>
     <td><?php echo $a_movie['director'];?></td>
    </tr>
    <?php
    }//end foreach movie_array?>
  </table>
  <?php
  }?>

<p>
<!-- start of entry form -->
<form action="index.php" method="post">
Year: <input type="text" name="year_txt" value='<?php echo $year;?>'/>
<input type='hidden' value='selectQuery' name='action'/>
<input type="submit"/>
</form>
<!-- end of entry form -->
</p>

<?php

 if ('selectQuery'==$_POST['action'])
  {
  if ($year>0)

$movie_results=selectQuery($year);
    if(!empty($movie_results))
      {
      print_movies($movie_results);
      }
else
      {
      echo "No movie was found for $year<br>";
      }
    }//end if 'year is valid'
  else
    {
    echo "Please enter a valid year<br>";
    }
  }//end if 'action was selectQuery'
?>
</body>
</html>

Alex JL 2009-10-25 12:45:52

ansaurus

tags:

views:

answers:

PHP function call from form not working

related questions