0

good am. i have a query that needs a value upon submission.. here it is

<?php
$conn = mysql_connect("localhost","root","");

mysql_select_db('irm',$conn);

if(isset($_GET['Submit'])){
$customer_date = $_GET['customer_date'];
}
?>
<?php

$tryshow =" SELECT c.customer_date, c.lastname, c.firstname,
   s.room_number, s.date_in, s.date_out
FROM customers c
    INNER JOIN services s
        ON c.customer_date = s.date_in
 WHERE c.customer_date = '$customer_date'";

$result = @mysql_query($tryshow,$conn)
            or die(mysql_error());

if (mysql_num_rows($result) == 0) {
echo "No rows found, nothing to print...";
}
while($row=mysql_fetch_assoc($result)){ 
?>

i think my problem is that even i submit a date the $customer_date doenst hold any value and thus leading to my no rows found echo...

need some of your advice and thanks in advance hope you can help me soon -renz

renz
  • 27
  • 1
  • 6
  • Are you sure that $_GET['customer_date'] is set just because $_GET['Submit'] is? Try var_dumping the $_GET parameter. – Stefan H Singer Mar 03 '11 at 20:52
  • 1
    You need to also post the form you are using to call this code – Pekka Mar 03 '11 at 20:52
  • 2
    Before you go any further, learn what SQL injection is and how to stop it. Right now, it's a good thing your code doesn't work. – lonesomeday Mar 03 '11 at 20:53
  • 1
    Sanitize your post/get values. – Ian P Mar 03 '11 at 20:54
  • re [SQL injection](http://stackoverflow.com/questions/601300/what-is-sql-injection) – Pekka Mar 03 '11 at 20:54
  • Let this guy learn the basics before whining about injection... – Michael Mar 03 '11 at 20:56
  • make sure you're using `
    `, and ``
     – drudge Mar 03 '11 at 20:59
  • ok thanks for reply guys. but im making a simple system using php mysql and i have a form that needs to input a date to show reports on that date. having the query above, well its not the full code i just show the php. the user picks a date submit it and im trying to show data from that date. like room number etc. so sorry if you find the question dumb. sorry for asking i tried asking before about something but i still got some errors. – renz Mar 03 '11 at 21:03
  • 1
    @renz: It's not a dumb question. It's just that, as it is now, it wouldn't take much for your server to get compromised. – drudge Mar 03 '11 at 21:12

3 Answers3

0

I think your quotes are wrong, your query is sending $customer_date instead of the value inside the variable try this:

$tryshow =' SELECT c.customer_date, c.lastname, c.firstname,
   s.room_number, s.date_in, s.date_out
FROM customers c
    INNER JOIN services s
        ON c.customer_date = s.date_in
 WHERE c.customer_date = "'.$customer_date.'"';
Michael
  • 1,081
  • 6
  • 14
  • thanks for your reply. i tried it but still no rows being shown. thanks again – renz Mar 03 '11 at 21:03
  • Did you try inserting a date manually to see if you get any results at all, or try echoing your query, copy past it into phpmyadmin and see what happens if you run it. – Michael Mar 03 '11 at 21:05
  • tried it on phpmyadmin and i guess i have a wrong query it returns zero rows – renz Mar 03 '11 at 21:07
  • Well try fixing the query in phpmyadmin and your page should be up and running in no time :) – Michael Mar 03 '11 at 21:09
  • ok thanks again , i manage to get it to work by removing the isset – renz Mar 03 '11 at 22:11
0

Please please learn about quoting/escaping values in mysql because currently your code is subject to SQL injections.

cweiske
  • 27,869
  • 13
  • 115
  • 180
0

Unrelated to your question, but your code is wide open to SQL injection. You are building your query with user input that is not sanitized in any way. At the very least, you should be using mysql_real_escape_string. I could, with minimal effort, enumerate enough information about your database to stick in a "DROP DATABASE YOUR DB" statement into the querystring, thus deleting all of your data.

David
  • 2,290
  • 6
  • 25
  • 27