boionfire81 Posted November 12, 2023 Posted November 12, 2023 (edited) Ok. I'm rewriting the education portion. I'm trying to use the multiselect for the city to add it to. But simply adding [] to the select box name throws a 500 error. Here's the code: function add_degree(){ global $db,$ir,$h; if($_SERVER['REQUEST_METHOD'] === 'POST'){ $count=0; foreach($_POST['city'] as $cities){ $db->query("INSERT INTO `edu_degrees` VALUES('','{$_POST['name']}','{$_POST['desc']}','{$cities}','{$_POST['unlocks']}')"); $count=$count+1; } echo $_POST['name']." added to ".number_format($count)." cities."; }else{ echo "<center>Add A Degree</center><br><form action='staff_school.php?action=add-degree' method='POST'> <table> <tr> <td> <b>Name</b>: </td> <td> <input type='text' name='name'> </td> </tr> <tr> <td> <b>Description</b>: </td> <td> <textarea name='desc' rows='4' cols='50'></textarea> </td> </tr> <tr> <td> <b>Available At</b>: </td> <td> <select name='city[]' multiple>"; $get_cities=$db->query("SELECT `cityname`,`cityid` FROM `cities` ORDER BY `cityname` ASC"); while($cities=$db->fetch_row($get_cities)){ $city_id=$cities['cityid']; echo "<option value='$city_id'>{$cities['cityname']}</option>"; } echo "</select> </td> </tr> <tr> <td> <b>Unlocks</b>: </td> <td> <input type='text' name='unlocks'> </td> </tr> </table> <button type='submit'>Add</button> </form>"; } } Edited November 12, 2023 by boionfire81 Quote
gamble Posted November 13, 2023 Posted November 13, 2023 (edited) Check your php error_log file. The error will be there and if you can figure it out from there post it here and we can help a bit better With little to no information to go off it'll be pretty hard to know exactly what went wrong without combing through it character my character to see Edited November 13, 2023 by gamble Typo Quote
corruptcity || skalman Posted November 13, 2023 Posted November 13, 2023 I asked chatgpt and it came back with this Your code appears mostly fine, but there are a few points to consider and improve: SQL Injection Vulnerability: You should avoid directly inserting user inputs into SQL queries to prevent SQL injection attacks. Instead, use prepared statements or at least sanitize the inputs. Error Handling: It's good practice to include error handling in your database operations to catch and handle any potential errors that may occur during execution. Here's an updated version of your code with these improvements: function add_degree() { global $db, $ir, $h; if ($_SERVER['REQUEST_METHOD'] === 'POST') { $count = 0; // Use prepared statements to prevent SQL injection $stmt = $db->prepare("INSERT INTO `edu_degrees` VALUES('',?,?,?,?)"); foreach ($_POST['city'] as $cities) { // Sanitize inputs before using in the query $name = $db->escape($_POST['name']); $desc = $db->escape($_POST['desc']); $unlocks = $db->escape($_POST['unlocks']); // Bind parameters and execute the statement $stmt->bind_param('ssss', $name, $desc, $cities, $unlocks); $stmt->execute(); $count++; } // Close the prepared statement $stmt->close(); echo htmlspecialchars($_POST['name']) . " added to " . number_format($count) . " cities."; } else { echo "<center>Add A Degree</center><br><form action='staff_school.php?action=add-degree' method='POST'> <table> <tr> <td> <b>Name</b>: </td> <td> <input type='text' name='name'> </td> </tr> <tr> <td> <b>Description</b>: </td> <td> <textarea name='desc' rows='4' cols='50'></textarea> </td> </tr> <tr> <td> <b>Available At</b>: </td> <td> <select name='city[]' multiple>"; $get_cities = $db->query("SELECT `cityname`,`cityid` FROM `cities` ORDER BY `cityname` ASC"); while ($cities = $db->fetch_row($get_cities)) { $city_id = $cities['cityid']; echo "<option value='$city_id'>{$cities['cityname']}</option>"; } echo "</select> </td> </tr> <tr> <td> <b>Unlocks</b>: </td> <td> <input type='text' name='unlocks'> </td> </tr> </table> <button type='submit'>Add</button> </form>"; } } Please note that I assumed your $db object provides methods like prepare, bind_param, execute, escape, etc. If not, you may need to adapt those parts according to your specific database library. Quote
smith Posted November 20, 2023 Posted November 20, 2023 (edited) function add_degree($db, $_POST) { foreach ($_POST['city'] as $cities) { // Use prepared statements to prevent SQL injection $sql = $db->prepare("INSERT INTO edu_degrees (`name`, `desc`, `cities`, `unlocks`) VALUES (:name, :desc, :cities, :unlocks)"); $sql->bindParam(':id', $_POST['name'], PDO::PARAM_STR); $sql->bindParam(':desc', $_POST['desc'], PDO::PARAM_STR); $sql->bindParam(':cities', $cities, PDO::PARAM_STR); <-- i am not sure about your 'type' here but you can select as you need for validation $sql->bindParam(':colour', $_POST['unlocks'], PDO::PARAM_STR); $sql->execute(); } } //chk submit before function if($_POST['submit] === true){ // you can call like this add_degree($db, $_POST) } Edited November 20, 2023 by smith Quote
rockwood Posted November 21, 2023 Posted November 21, 2023 (edited) On 11/20/2023 at 9:21 AM, smith said: <code> function add_degree($db, $_POST) { foreach ($_POST['city'] as $cities) { // Use prepared statements to prevent SQL injection $sql = $db->prepare("INSERT INTO edu_degrees (`name`, `desc`, `cities`, `unlocks`) VALUES (:name, :desc, :cities, :unlocks)"); $sql->bindParam(':id', $_POST['name'], PDO::PARAM_STR); $sql->bindParam(':desc', $_POST['desc'], PDO::PARAM_STR); $sql->bindParam(':cities', $cities, PDO::PARAM_STR); <-- i am not sure about your 'type' here but you can select as you need for validation $sql->bindParam(':colour', $_POST['unlocks'], PDO::PARAM_STR); $sql->execute(); } } //chk submit before function if($_POST['submit] === true){ // you can call like this add_degree($db, $_POST) } </code> you can make it more better Edited November 21, 2023 by rockwood edited Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.