2

I'm working on a little site. My first file is where i can type a name a sex and a category.

(etc.: Steven M Junior )

<!DOCTYPE  HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"  "http://www.w3.org/TR/html4/loose.dtd"> 
<html> 
    <head> 
        <meta  http-equiv="Content-Type" content="text/html;  charset=iso-8859-1"> 
        <title>Geef u borstnummer</title> 
    </head> 
    <p>
        <body> 
            <h3>Geef uw borstnummer in selecteer uw categorie en geslacht</h3> 
            <form  method="post" action="search.php?go"  id="searchform"> 
                <input  type="text" name="nummer">
                <select id="categorie" name="categorie">
                    <option value = "0"> Selecteer Categorie </option>
                    <option value = "B"> Benjamin </option>
                    <option value = "P"> Pupil </option>
                    <option value = "M"> Miniem </option>
                    <option value = "K"> Cadet </option>
                    <option value = "L"> Scholier </option>
                    <option value = "J"> Junior </option>
                    <option value = "S"> Senior </option>
                    <option value = "M"> Master </option>
                </select>
                <select id="geslacht" name="geslacht">
                    <option value = "0"> Selecteer geslacht </option>
                    <option value = "M"> Man </option>
                    <option value = "V"> Vrouw </option>
                </select>
                <input  type="submit" name="submit" value="Search"> 
            </form> 
        </body> 
    </p> 
</html>

The second file uses these 3 variables with a $_POST method, and afterwards searches them in a mysql database. This file exports more info about this person.

(etc.: Sex , name, category, club, Date of birth , Number) these are all stored in variables.

(etc.: $Name, $Category, ...)

<?php
if(isset($_POST['submit']))
{
    if(isset($_GET['go']))
    {
        // if(preg_match("/^[0-9]*$/", $_POST['nummer']))
        // {
            $nummer_in=$_POST['nummer'];
            $categorie_in=$_POST['categorie'];
            $geslacht_in=$_POST['geslacht'];

            define('DB_NAME', 'atletiek');
            define('DB_USER', 'root');
            define('DB_PASSWORD', '');
            define('DB_HOST', 'localhost');

            $db=mysqli_connect  (DB_HOST, DB_USER,  DB_PASSWORD) or die ('I cannot connect to the database because: ' . mysqli_error());

            $mydb = mysqli_select_db($db, "atletiek");

            $sql="SELECT * FROM `atleten` WHERE `Borstnr` = $nummer_in AND `Categorie` = '$categorie_in' AND `Geslacht` = '$geslacht_in' ";

            $result=mysqli_query($db, $sql);
            if (!$result)
            {
                printf("Error: %s\n", mysqli_error($db));
                exit();
            }

            while($row=mysqli_fetch_array($result)) 
            {
                $ID =$row['ID'];
                $Geslacht=$row['Geslacht'];
                $Naam = $row['Naam'];
                $Categorie = $row['Categorie'];
                $Club = $row['Club'];
                $GeboorteJ = $row['Geboortej'];
                $Nummer = $row['Borstnr'];

            }
        // }
    }
    else
    {
        echo  "Please enter a search query ";
    }
}
?>

Now i want to make a third file That prints these values out on the screen. How can i do this?

I've heard about using anchors ( ?name=Steven ) or somthing like that in the url of the file, but i have no idea how to use this and can't find alot of information around.

Can someone help me out?

Cyber_Star
  • 155
  • 1
  • 9
  • can you share some code – M0ns1f Oct 22 '17 at 18:53
  • @M0ns1f added them – Cyber_Star Oct 22 '17 at 18:59
  • If I've understood the problem correctly you don't need third file and can print these values from the your second file. – Andrzej S. Oct 22 '17 at 19:04
  • @saband i know this but the 2nd file includes the password of the database this would be a high security risk so i only want to use this file to acces the database and extract data then move on to another file – Cyber_Star Oct 22 '17 at 19:09
  • @Cyber_Star there is not security problem to use this file for print data. Why do you think so? – Andrzej S. Oct 22 '17 at 19:15
  • Note: The object-oriented interface to `mysqli` is significantly less verbose, making code easier to read and audit, and is not easily confused with the obsolete `mysql_query` interface. Before you get too invested in the procedural style it’s worth switching over. Example: `$db = new mysqli(…)` and `$db->prepare("…")` The procedural interface is an artifact from the PHP 4 era when `mysqli` API was introduced and should not be used in new code. – tadman Oct 22 '17 at 19:16
  • **WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](http://bobby-tables.com/). **NEVER** put `$_POST`, `$_GET` or **any** user data directly into a query, it can be very harmful if someone seeks to exploit your mistake. – tadman Oct 22 '17 at 19:16
  • "Anchors" is not the correct term. You're looking for [Query String](https://en.wikipedia.org/wiki/Query_string), where these have an established format and convention for passing them around. Anchors are like `#name` where they link to an element *within* the page, e.g. for navigating from a header to a section of text, though they're used for other purposes like preserving client-side state. – tadman Oct 22 '17 at 19:19

2 Answers2

0

you can simply echo the output in the same script where you get the values from database so your search.php would be like :

    <?php
    if(isset($_POST['submit']))
    {
        if(isset($_GET['go']))
        {
            // if(preg_match("/^[0-9]*$/", $_POST['nummer']))
            // {
                $nummer_in=$_POST['nummer'];
                $categorie_in=$_POST['categorie'];
                $geslacht_in=$_POST['geslacht'];

                define('DB_NAME', 'atletiek');
                define('DB_USER', 'root');
                define('DB_PASSWORD', '');
                define('DB_HOST', 'localhost');

                $db=mysqli_connect  (DB_HOST, DB_USER,  DB_PASSWORD) or die ('I cannot connect to the database because: ' . mysqli_error());

                $mydb = mysqli_select_db($db, "atletiek");

                $sql="SELECT * FROM `atleten` WHERE `Borstnr` = $nummer_in AND `Categorie` = '$categorie_in' AND `Geslacht` = '$geslacht_in' ";

                $result=mysqli_query($db, $sql);
                if (!$result)
                {
                    printf("Error: %s\n", mysqli_error($db));
                    exit();
                }

                while($row=mysqli_fetch_array($result)) 
                {
                    $ID =$row['ID'];
                    $Geslacht=$row['Geslacht'];
                    $Naam = $row['Naam'];
                    $Categorie = $row['Categorie'];
                    $Club = $row['Club'];
                    $GeboorteJ = $row['Geboortej'];
                    $Nummer = $row['Borstnr'];
                    //Output the values
                    echo '<div><p>';
                    echo 'user id : '. $ID .' Geslacht : '.$Geslacht.' Naam : '. $Naam .' Categorie : '.$Categorie.' Club : '.$Club.' Geboortej : '.$GeboorteJ.' Borstnr : '.$Nummer.'</p></div>';

                }
            // }
        }
        else
        {
            echo  "Please enter a search query ";
        }
    }
    ?>
M0ns1f
  • 2,705
  • 3
  • 15
  • 25
  • i know this but the 2nd file includes the password of the database this would be a high security risk so i only want to use this file to acces the database and extract data then move on to another file – Cyber_Star Oct 22 '17 at 19:09
  • the security risk is not in making the search file output html but [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – M0ns1f Oct 22 '17 at 19:12
  • @Cyber_Star It's a bad practice to keep security credentials inside a script that could, theoretically, be accessed by an attacker if your server is misconfigured. You should store those in a location that cannot be accessed via the web root and loaded in via `require` or `include`. Cut-and-pasting connection code into every single script you have is not a sustainable development practice, it very quickly leads to total anarchy. – tadman Oct 22 '17 at 19:21
0

Try this around your while part ...

$html = '
<table>
    <thead>
        <tr>
            <th>ID</th>
            <th>Geslacht</th>
            <th>Naam</th>
            <th>Categorie</th>
            <th>Club</th>
            <th>Geboortej</th>
            <th>Borstnr</th>
        </tr>
    </thead>
    <tbody>';
while($row=mysqli_fetch_array($result)) 
{
    $ID =$row['ID'];
    $Geslacht=$row['Geslacht'];
    $Naam = $row['Naam'];
    $Categorie = $row['Categorie'];
    $Club = $row['Club'];
    $GeboorteJ = $row['Geboortej'];
    $Nummer = $row['Borstnr'];

    $html .= '
    <tr>
        <td>'.$ID.'</td>
        <td>'.$Geslacht.'</td>
        <td>'.$Naam'.</td>
        <td>'.$Categorie.'</td>
        <td>'.$Club.'</td>
        <td>'.$GeboorteJ.'</td>
        <td>'.$Nummer.'</td>
    </tr>';
}
$html .= '<tbody></table>';
Sayonara
  • 267
  • 1
  • 10
  • PHP can interpolate simple variables like `$x` inside of strings without any fuss or ceremony. Just use double quotes. That avoids the whole `'...'.$x.'...'` dance. – tadman Oct 22 '17 at 19:17