EvilZone
Programming and Scripting => Web Oriented Coding => Topic started by: iTpHo3NiX on April 22, 2015, 05:28:58 AM
-
Ok a little info on what this does and its purpose...
Pretty much the point behind this is so an event staff coordinator can allow event staff to book days they would like to work. The scripts are working as they're supposed to, however the event coordinator is unable to remove names. The script is supposed to be so they can enter the name to remove it, however it just adds another entry "Enter Name" instead of removing the name...
eventbook.php (main index)
<?php
require_once("session.php");
include("function.php");
include("connect.php");
?>
<html>
<head>
<title>Event Schedule Booking - by DeepCopy</title>
<LINK href="/hockey.css" rel="stylesheet" type="text/css">
<style type="text/css">
body {background-color:black;}
h1 {text-align:center;color:gold;}
h2 {text-align:center;color:gold;}
</style>
</head>
<body>
<center><a href="http://xxx.com"><img src="http://xxx.png" height="85" width="100"></a></center>
<h1>xxx</h1>
<h2>Event Schedule Booking</h2>
<?php
//displays the table
displayTable();
?>
<?php
//add event button shown only when logged in
if(isset($_SESSION['user_id'])){
echo "<FORM METHOD=\"Link\" ACTION=\"addEvent.php\">
<INPUT TYPE=\"submit\" VALUE=\"Add Event\">
</FORM>";
}
echo "<br />";
//login button shown if not logged in
if(!isset($_SESSION['user_id'])){
echo "<a href=\"login.php\">Admin Login</a>";
}
//logout button shown only when logged in
if(isset($_SESSION['user_id'])){
echo "<a href=\"logout.php\">Logout</a>" . "<br />";
echo "<a href=\"createUser.php\">Create a new Username and Password</a>"
;
}
?>
</body>
</html>
connect.php
<?php
$connection = mysql_connect("localhost","xxx_events","password");
if (!$connection) {
die("Database connection failed");
}
$db_select = mysql_select_db("xxx_events",$connection);
if (!$db_select) {
die("Database selection failed: " . mysql_error());
}
?>
addEvent.php
<?php
require_once("session.php");
include("function.php");
include("connect.php");
?>
<?php
if(!isset($_SESSION['user_id'])){
redirect_to('eventbook.php');
}
echo "<form name='addEvent' action='addEvent.php' method='GET'>" .
"Date: " . "<input type='text' name='date' value='Enter Date'
onfocus=\"if(this.value=='Enter Date') this.value='';\"/>" . "YYYY-MM-DD (must be in this exact format)" . "<br />" .
"Time: " . "<input type='text' name='time' value='Enter Time'
onfocus=\"if(this.value=='Enter Time') this.value='';\"/>" . "<br />" .
"Event: " . "<input type='text' name='event' value='Enter Event'
onfocus=\"if(this.value=='Enter Event Name') this.value='';\"/>" . "<br />" .
"<input type='submit' value='Add Event' />" .
"</form>";
?>
<?php
if(isset($_GET['date'])) {
$date = $_GET['date'];
$time = $_GET['time'];
$event = $_GET['event'];
mysql_query("INSERT INTO namestable (date, time, event)
VALUES ('$date', '$time', '$event')");
echo "The " . "$event " . "event at " . "$time " . "on " . "$date " . "has been added.";
}
echo "<br />";
echo "<div id='backRight'><a href=\"eventbook.php\">Back to Officer Sign Up Sheet</a></div>";
?>
delete.php
<?php
include("connect.php");
$tbl_name="namestable";
$id = $_POST['id'];
mysql_query("DELETE FROM $tbl_name WHERE id=$id");
echo "Selected event has been deleted, I hope you didn't mess up xxx...";
echo "<br />";
echo "<a href=\"eventbook.php\">Back to Officer Sign Up Sheet</a>";
?>
formFunction.php
<?php
function mysql_prep( $value ){
$magic_quotes_active = get_magic_quotes_gpc();
$new_enough_php = function_exists( "mysql_real_escape_string" ); //ie. >v4.3.0
if( $new_enough_php ){
if( $magic_quotes_active ) { $value = stripslashes( $value ); }
$value = mysql_real_escape_string( $value );
}else {
if( !$magic_quotes_active ) { $value = addslashes( $value ); }
}
return $value;
}
?>
function.php
<?php
function displayTable(){
$getdates = mysql_query("SELECT DISTINCT date FROM namestable ORDER BY date ASC");
$dates = mysql_num_rows($getdates);
if($dates > 0){
while ($rowdates = mysql_fetch_assoc($getdates)) {
$date = $rowdates['date'];
$fdate = date('l - M jS, Y ', strtotime($date));
$getevents = mysql_query("SELECT *
FROM namestable
WHERE date = '$date'
ORDER BY time ASC");
$events = mysql_num_rows($getevents);
if($events > 0){
// echo "<table width='752px' cellspacing='0' cellpadding='0' border='0' id='names'>";
echo "<table width='1000px' cellspacing='5px' cellpadding='0' border='1px' id='names'>";
echo "<caption>$fdate</caption>";
echo "<colgroup>
<col id='time' />
<col id='event' />
<col id='name1' />
<col id='name2' />
<col id='name3' />
<col id='name4' />
<col id='name5' />
<col id='name6' />
<col id='name7' />
<col id='name8' />
<col id='name9' />
<col id='name10' />
<col id='sign' />
";
echo "
<thead>
<tr>
<th scope='col'>Time</th>
<th scope='col'>Event</th>
<th scope='col'>Officer 1</th>
<th scope='col'>Officer 2</th>
<th scope='col'>Officer 3</th>
<th scope='col'>Officer 4</th>
<th scope='col'>Officer 5</th>
<th scope='col'>Officer 6</th>
<th scope='col'>Officer 7</th>
<th scope='col'>Officer 8</th>
<th scope='col'>Officer 9</th>
<th scope='col'>Officer 10</th>
<th scope='col'>Sign Up</th>
</tr>
</thead>
";
while ($rowevents = mysql_fetch_assoc($getevents)) {
echo "<tbody>";
echo "<tr>";
echo "<td scope='row'>" . $rowevents['time'] . "</td>";
echo "<td>" . $rowevents['event'] . "</td>";
echo "<td>" . $rowevents['name1'] . "</td>";
echo "<td>" . $rowevents['name2'] . "</td>";
echo "<td>" . $rowevents['name3'] . "</td>";
echo "<td>" . $rowevents['name4'] . "</td>";
echo "<td>" . $rowevents['name5'] . "</td>";
echo "<td>" . $rowevents['name6'] . "</td>";
echo "<td>" . $rowevents['name7'] . "</td>";
echo "<td>" . $rowevents['name8'] . "</td>";
echo "<td>" . $rowevents['name9'] . "</td>";
echo "<td>" . $rowevents['name10'] . "</td>";
$id = $rowevents['id'];
echo "<td>" . "<form name='input' action='process.php' method='POST'>
<input type='text' name='name' maxlength='25' size='12'
value='Enter Name' onfocus=\"if(this.value=='Enter Name') this.value='';\"/>
<input type='hidden' name='id' value='$id'/>
<input type='image' src='images/signUp.png' value='Sign Up' >
 
<input type='image' src='images/removeName.png' name='dname'
value='' /></form>" .
"<form name='delete' action='delete.php' method='POST'>
<input type='hidden' name='id' value='$id'/>";
if(isset($_SESSION['user_id'])){
echo "<input type='submit' name='delete' value='Delete Event' /></form>" .
"</td>";
}else{
echo "</form>";
echo "</td>";
echo "</tr>";
echo "</tbody>";
}
} // end event loop
} // end if events > 0
echo "</table>";
echo "<br />";
} // end if dates > 0
} // end date
}//end function
function redirect_to($location = NULL){
if ($location != NULL){
header("Location: {$location}");
exit;
}
}
?>
process.php
This is where I think the issue is, but I'm not seeing it...
<?php
include("connect.php");
include("function.php");
include("formFunction.php");
?>
<html>
<head>
<title>Event Hours</title>
<LINK href="/hockey.css" rel="stylesheet" type="text/css">
</head>
<body>
<?php
$tbl_name="namestable";
$id = $_POST['id'];
if(isset($_POST['dname']))
{
$dname = $_POST['dname'];
} else {
$dname = 'deleteNameIsBlank';
}
$unsafe_name=($_POST['name']);
$name=(htmlentities(mysql_prep($unsafe_name)));
$result = mysql_query("SELECT * FROM namestable WHERE id=$id");
$row = mysql_fetch_array($result);
$name=$_POST['name'];
if($dname == 'Remove Name' && $row['name1'] == $name){
mysql_query("UPDATE $tbl_name SET name1 = '' WHERE id=$id");
redirect_to("eventbook.php");
}
elseif($dname == 'Remove Name' && $row['name2'] == $name){
mysql_query("UPDATE $tbl_name SET name2 = '' WHERE id=$id");
redirect_to("eventbook.php");
}
elseif($dname == 'Remove Name' && $row['name3'] == $name){
mysql_query("UPDATE $tbl_name SET name3 = '' WHERE id=$id");
redirect_to("eventbook.php");
}
elseif($dname == 'Remove Name' && $row['name4'] == $name){
mysql_query("UPDATE $tbl_name SET name4 = '' WHERE id=$id");
redirect_to("eventbook.php");
}
elseif($dname == 'Remove Name' && $row['name5'] == $name){
mysql_query("UPDATE $tbl_name SET name5 = '' WHERE id=$id");
redirect_to("eventbook.php");
}
elseif($dname == 'Remove Name' && $row['name6'] == $name){
mysql_query("UPDATE $tbl_name SET name6 = '' WHERE id=$id");
redirect_to("eventbook.php");
}
elseif($dname == 'Remove Name' && $row['name7'] == $name){
mysql_query("UPDATE $tbl_name SET name7 = '' WHERE id=$id");
redirect_to("eventbook.php");
}
elseif($dname == 'Remove Name' && $row['name8'] == $name){
mysql_query("UPDATE $tbl_name SET name8 = '' WHERE id=$id");
redirect_to("eventbook.php");
}
elseif($dname == 'Remove Name' && $row['name9'] == $name){
mysql_query("UPDATE $tbl_name SET name9 = '' WHERE id=$id");
redirect_to("eventbook.php");
}
elseif($dname == 'Remove Name' && $row['name10'] == $name){
mysql_query("UPDATE $tbl_name SET name10 = '' WHERE id=$id");
redirect_to("eventbook.php");
}
elseif($dname == 'Remove Name'){
echo "<div id='error'>Please enter name exactly as it appears in the sign up sheet.</div>";
}
elseif(empty($row['name1'])){
mysql_query("UPDATE $tbl_name SET name1 = '$name' WHERE id=$id");
redirect_to("eventbook.php");
}
elseif(empty($row['name2'])){
mysql_query("UPDATE $tbl_name SET name2 = '$name' WHERE id=$id");
redirect_to("eventbook.php");
}
elseif(empty($row['name3'])){
mysql_query("UPDATE $tbl_name SET name3 = '$name' WHERE id=$id");
redirect_to("eventbook.php");
}
elseif(empty($row['name4'])){
mysql_query("UPDATE $tbl_name SET name4 = '$name' WHERE id=$id");
redirect_to("eventbook.php");
}
elseif(empty($row['name5'])){
mysql_query("UPDATE $tbl_name SET name5 = '$name' WHERE id=$id");
redirect_to("eventbook.php");
}
elseif(empty($row['name6'])){
mysql_query("UPDATE $tbl_name SET name6 = '$name' WHERE id=$id");
redirect_to("eventbook.php");
}
elseif(empty($row['name7'])){
mysql_query("UPDATE $tbl_name SET name7 = '$name' WHERE id=$id");
redirect_to("eventbook.php");
}
elseif(empty($row['name8'])){
mysql_query("UPDATE $tbl_name SET name8 = '$name' WHERE id=$id");
redirect_to("eventbook.php");
}
elseif(empty($row['name9'])){
mysql_query("UPDATE $tbl_name SET name9 = '$name' WHERE id=$id");
redirect_to("eventbook.php");
}
elseif(empty($row['name10'])){
mysql_query("UPDATE $tbl_name SET name10 = '$name' WHERE id=$id");
redirect_to("eventbook.php");
}
else {
echo "<div id='error'>No more guards needed for this event. Please see other options</div>";
}
echo "<br />";
echo "<div id='backCenter'><a href=\"eventbook.php\">Return to Officer Sign Up Sheet</a></div>";
?>
</body>
</html>
sql export (for table)
DROP TABLE IF EXISTS `namestable`;
CREATE TABLE IF NOT EXISTS `namestable` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`date` date DEFAULT NULL,
`time` varchar(50) DEFAULT NULL,
`event` varchar(50) DEFAULT NULL,
`name1` varchar(50) DEFAULT NULL,
`name2` varchar(50) DEFAULT NULL,
`name3` varchar(50) DEFAULT NULL,
`name4` varchar(50) DEFAULT NULL,
`name5` varchar(50) DEFAULT NULL,
`name6` varchar(50) DEFAULT NULL,
`name7` varchar(50) DEFAULT NULL,
`name8` varchar(50) DEFAULT NULL,
`name9` varchar(50) DEFAULT NULL,
`name10` varchar(50) DEFAULT NULL,
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=68 ;
Related Help:
I have found though that the Remove Name function will not work the way that it is coded for many browsers. Set values in an image input tag are not passed to a script, but instead the x,y coordinates of where the user clicked on the image are. As such, the script will never see a $dname with a value assigned to it. Instead, if you change the isset in process.php to ['$dname_x'] and change the true variable assignment to 'Remove Name', the script will run as expected because dname_x will have a positive value assigned to it.
src script:
http://www.infohyena.com/articles/16-php-volunteer-sign-up-sheet
I've changed all the dname variables in process.php with dname_x and function.php but its still behaving the same
-
...bump...
Ok well I've been working on another way to accomplish this and I came up with this... The only problem is whenever I submit to update the database, it doesn't do anything... Nothing in the error_log to tell me why it's doing this...
view.php (works fine)
<?php
/*
VIEW.PHP
Displays all data from 'namestable' table
*/
// connect to the database
include('../connect-db.php');
// get results from database
$result = mysql_query("SELECT * FROM namestable")
or die(mysql_error());
// display data in table
echo "<p><b>View All</b> | <a href='view-paginated.php?page=1'>View Paginated</a></p>";
echo "<table border='1' cellpadding='10'>";
echo "<tr> <th>ID</th> <th>Date</th> <th>Time</th> <th>Event</th> <th>Officer 1</th> <th>Officer 2</th> <th>Officer 3</th> <th>Officer 4</th> <th>Officer 5</th> <th>Officer 6</th> <th>Officer 7</th> <th>Officer 8</th> <th>Officer 9</th> <th>Officer 10</th> <th></th> <th></th></tr>";
// loop through results of database query, displaying them in the table
while($row = mysql_fetch_array( $result )) {
// echo out the contents of each row into a table
echo "<tr>";
echo '<td>' . $row['id'] . '</td>';
echo '<td>' . $row['date'] . '</td>';
echo '<td>' . $row['time'] . '</td>';
echo '<td>' . $row['event'] . '</td>';
echo '<td>' . $row['name1'] . '</td>';
echo '<td>' . $row['name2'] . '</td>';
echo '<td>' . $row['name3'] . '</td>';
echo '<td>' . $row['name4'] . '</td>';
echo '<td>' . $row['name5'] . '</td>';
echo '<td>' . $row['name6'] . '</td>';
echo '<td>' . $row['name7'] . '</td>';
echo '<td>' . $row['name8'] . '</td>';
echo '<td>' . $row['name9'] . '</td>';
echo '<td>' . $row['name10'] . '</td>';
echo '<td><a href="edit.php?id=' . $row['id'] . '">Edit</a></td>';
echo '<td><a href="delete.php?id=' . $row['id'] . '">Delete</a></td>';
echo "</tr>";
}
// close table>
echo "</table>";
?>
edit.php
<?php
// creates the edit record form
// since this form is used multiple times in this file, I have made it a function that is easily reusable
function renderForm($id, $date, $time, $event, $name1, $name2, $name3, $name4, $name5, $name6, $name7, $name8, $name9, $name10, $error)
{
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>Edit Events</title>
</head>
<body>
<?php
// if there are any errors, display them
if ($error != '')
{
echo '<div style="padding:4px; border:1px solid red; color:red;">'.$error.'</div>';
}
?>
<form action="" method="post">
<input type="hidden" name="id" value="<?php echo $id; ?>"/>
<div>
<p><strong>ID:</strong> <?php echo $id; ?></p>
<strong>Date: </strong> <input type="text" name="date" value="<?php echo $date; ?>"/><br/>
<strong>Time: </strong> <input type="text" name="time" value="<?php echo $time; ?>"/><br/>
<strong>Event: </strong> <input type="text" name="event" value="<?php echo $event; ?>"/><br/>
<strong>Officer 1: </strong> <input type="text" name="name1" value="<?php echo $name1; ?>"/><br/>
<strong>Officer 2: </strong> <input type="text" name="name2" value="<?php echo $name2; ?>"/><br/>
<strong>Officer 3: </strong> <input type="text" name="name3" value="<?php echo $name3; ?>"/><br/>
<strong>Officer 4: </strong> <input type="text" name="name4" value="<?php echo $name4; ?>"/><br/>
<strong>Officer 5: </strong> <input type="text" name="name5" value="<?php echo $name5; ?>"/><br/>
<strong>Officer 6: </strong> <input type="text" name="name6" value="<?php echo $name6; ?>"/><br/>
<strong>Officer 7: </strong> <input type="text" name="name7" value="<?php echo $name7; ?>"/><br/>
<strong>Officer 8: </strong> <input type="text" name="name8" value="<?php echo $name8; ?>"/><br/>
<strong>Officer 9: </strong> <input type="text" name="name9" value="<?php echo $name9; ?>"/><br/>
<strong>Officer 10: </strong> <input type="text" name="name10" value="<?php echo $name10; ?>"/><br/>
<input type="submit" name="submit" value="Submit">
</div>
</form>
</body>
</html>
<?php
}
// connect to the database
include('../connect-db.php');
// check if the form has been submitted. If it has, process the form and save it to the database
if (isset($_POST['submit']))
{
// confirm that the 'id' value is a valid integer before getting the form data
if (is_numeric($_POST['id']))
{
// get form data, making sure it is valid
$id = $_POST['id'];
$date = mysql_real_escape_string(htmlspecialchars($_POST['date']));
$time = mysql_real_escape_string(htmlspecialchars($_POST['time']));
$event = mysql_real_escape_string(htmlspecialchars($_POST['event']));
$name1 = mysql_real_escape_string(htmlspecialchars($_POST['name1']));
$name2 = mysql_real_escape_string(htmlspecialchars($_POST['name2']));
$name3 = mysql_real_escape_string(htmlspecialchars($_POST['name3']));
$name4 = mysql_real_escape_string(htmlspecialchars($_POST['name4']));
$name5 = mysql_real_escape_string(htmlspecialchars($_POST['name5']));
$name6 = mysql_real_escape_string(htmlspecialchars($_POST['name6']));
$name7 = mysql_real_escape_string(htmlspecialchars($_POST['name7']));
$name8 = mysql_real_escape_string(htmlspecialchars($_POST['name8']));
$name9 = mysql_real_escape_string(htmlspecialchars($_POST['name9']));
$name10 = mysql_real_escape_string(htmlspecialchars($_POST['name10']));
renderForm($id, $date, $time, $event, $name1, $name2, $name3, $name4, $name5, $name6, $name7, $name8, $name9, $name10, $error);
}
else
{
// save the data to the database
mysql_query("UPDATE namestable SET date='$date', time='$time', event='$event', name1='$name1', name2='$name2', name3='$name3', name4='$name4', name5='$name5', name6='$name6', name7='$name7', name8='$name8', name9='$name9', name10='$name10' WHERE id='$id'")
or die(mysql_error());
// once saved, redirect back to the view page
header("Location: view.php");
}
}
else
{
// if the 'id' isn't valid, display an error
echo 'Error!';
}
// query db
$id = $_GET['id'];
$result = mysql_query("SELECT * FROM namestable WHERE id=$id")
or die(mysql_error());
$row = mysql_fetch_array($result);
// check that the 'id' matches up with a row in the databse
if($row)
{
// get data from db
$id = $row['id'];
$date = $row['date'];
$time = $row['time'];
$event = $row['event'];
$name1 = $row['name1'];
$name2 = $row['name2'];
$name3 = $row['name3'];
$name4 = $row['name4'];
$name5 = $row['name5'];
$name6 = $row['name6'];
$name7 = $row['name7'];
$name8 = $row['name8'];
$name9 = $row['name9'];
$name10 = $row['name10'];
// show form
renderForm($id, $date, $time, $event, $name1, $name2, $name3, $name4, $name5, $name6, $name7, $name8, $name9, $name10, $error, '');
}
else
// if no match, display result
{
echo "No results!";
}
?>
can't figure it out for the life of me o.O
-
Ask StackOverflow, you'll get a quicker answer than on here
-
Ok there are alot of issues with your code. And I want you to fix them first before I help you fix your problem because it's almost unreadable.
Use prepared statements man. this is 2015 the functions you are using are deprecated.
Don't echo your html out to the page. Try to put as less code you can into the html part. When you need to have certain html on certain conditions use:
<?php if($leet == true): ?>
<form method="post" action="leetscript.php">
<input type="text" name="something"/>
</form>
<?php endif; ?>
Try to further encapsulate your code in functions or even classes. Get as much php out of your pages as possible.