having trouble in mysql if statement
Question
I just want to simplify what I am doing before, having multiple php files for all data to be listed. Here is my html form:
<table border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#D3D3D3">
<tr>
<form name="formcheck" method="post" action="list.php" onsubmit="return formCheck(this);">
<td>
<table border="0" cellpadding="3" cellspacing="1" bgcolor="">
<tr>
<td colspan="16" height="25" style="background:#5C915C; color:white; border:white 1px solid; text-align: left"><strong><font size="3">List Students</td>
</tr>
<tr>
<td width="30" height="35"><font size="3">*List:</td>
<td width="30"><input name="specific" type="text" id="specific" maxlength="25" value="">
</td>
<td><font size="3">*By:</td>
<td>
<select name="general" id="general">
<font size="3">
<option>Year</option>
<option>Address</option>
</select></td></td>
</tr>
<tr>
<td width="10"><input align="right" type="submit" name="Submit" value="Submit" > </td>
</tr>
</form>
</table>
And here's the form action:
<?php
$con = mysql_connect("localhost","root","nitoryolai123$%^");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
mysql_select_db("school", $con);
$gyear= $_POST['general'];
if ("YEAR"==$_POST['general']) {
$result = mysql_query("SELECT * FROM student WHERE YEAR='{$_POST["specific"]}'");
echo "<table border='1'>
<tr>
<th>IDNO</th>
<th>YEAR</th>
<th>LASTNAME</th>
<th>FIRSTNAME</th>
</tr>";
while($row = mysql_fetch_array($result))
{
echo "<tr>";
echo "<td>" . $row['IDNO'] . "</td>";
echo "<td>" . $row['YEAR'] . "</td>";
echo "<td>" . $row['LASTNAME'] . "</td>";
echo "<td>" . $row['FIRSTNAME'] . "</td>";
echo "</tr>";
}
echo "</table>";
}
mysql_close($con);
?>
Please help, how do I equate the YEAR(column in mysql database) and the option box(general).
if ("YEAR"==$_POST['general'])
please correct me if I'm wrong.
2 answers
solution1
1 ACCPTED 2010-04-19 09:16:39
<option>Year</option>
you just need to change that to
<option value="YEAR">Year</option>
also definitely have a read of this page : http://en.wikipedia.org/wiki/SQL_injection because otherwise your code is wide open to nasty attacks.
[edit : also pay heed to the comments on your original question, posting your real root username/password on a website isn't a very good idea.]
solution2
-1 2010-04-19 09:18:12
if ("YEAR"==$_POST['general']) {
$result = mysql_query("SELECT * FROM student WHERE date_format(YEAR, '%Y')='{$_POST["specific"]}'");
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.