Jump to content
MakeWebGames

What am I missing?

boionfire81

By boionfire81
in Modification Support

 Share

Recommended Posts

boionfire81 Apprentice

boionfire81

Posted
Posted (edited)

Ok. I'm rewriting the education portion. I'm trying to use the multiselect for the city to add it to. But simply adding [] to the select box name throws a 500 error. Here's the code: 

function add_degree(){
    global $db,$ir,$h;
    
    if($_SERVER['REQUEST_METHOD'] === 'POST'){
        
        $count=0;
        
        foreach($_POST['city'] as $cities){
            
            $db->query("INSERT INTO `edu_degrees` VALUES('','{$_POST['name']}','{$_POST['desc']}','{$cities}','{$_POST['unlocks']}')");
            $count=$count+1;
            
        }
        
        echo $_POST['name']." added to ".number_format($count)." cities.";
        
    }else{
        
        echo "<center>Add A Degree</center><br><form action='staff_school.php?action=add-degree' method='POST'>
            <table>
              <tr>
                <td>
                  <b>Name</b>:
                </td>
                <td>
                  <input type='text' name='name'>
                </td>
              </tr>
              <tr>
                <td>
                  <b>Description</b>:
                </td>
                <td>
                  <textarea name='desc' rows='4' cols='50'></textarea>
                </td>
              </tr>
              <tr>
                <td>
                  <b>Available At</b>:
                </td>
                <td>
                  <select name='city[]' multiple>";    
        $get_cities=$db->query("SELECT `cityname`,`cityid` FROM `cities` ORDER BY `cityname` ASC");
        
        while($cities=$db->fetch_row($get_cities)){
            
            $city_id=$cities['cityid'];
            
            echo "<option value='$city_id'>{$cities['cityname']}</option>";
            
        }
        
        echo "</select>
            </td>
            </tr>
            <tr>
              <td>
                <b>Unlocks</b>:
              </td>
              <td>
                <input type='text' name='unlocks'>
              </td>
            </tr>
          </table>
          <button type='submit'>Add</button>
          </form>";
        
    }
    
}

 

Edited by boionfire81
Link to comment
Share on other sites
gamble Enthusiast

gamble

Posted
Posted (edited)

Check your php error_log file. The error will be there and if you can figure it out from there post it here and we can help a bit better

 

With little to no information to go off it'll be pretty hard to know exactly what went wrong without combing through it character my character to see 

Edited by gamble
Typo
Link to comment
Share on other sites
corruptcity || skalman Contributor

corruptcity || skalman

Posted
Posted

I asked chatgpt and it came back with this

Your code appears mostly fine, but there are a few points to consider and improve:

  1. SQL Injection Vulnerability: You should avoid directly inserting user inputs into SQL queries to prevent SQL injection attacks. Instead, use prepared statements or at least sanitize the inputs.

  2. Error Handling: It's good practice to include error handling in your database operations to catch and handle any potential errors that may occur during execution.

    Here's an updated version of your code with these improvements: 

    function add_degree() {
    global $db, $ir, $h;

    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
        $count = 0;

        // Use prepared statements to prevent SQL injection
        $stmt = $db->prepare("INSERT INTO `edu_degrees` VALUES('',?,?,?,?)");

        foreach ($_POST['city'] as $cities) {
            // Sanitize inputs before using in the query
            $name = $db->escape($_POST['name']);
            $desc = $db->escape($_POST['desc']);
            $unlocks = $db->escape($_POST['unlocks']);

            // Bind parameters and execute the statement
            $stmt->bind_param('ssss', $name, $desc, $cities, $unlocks);
            $stmt->execute();

            $count++;
        }

        // Close the prepared statement
        $stmt->close();

        echo htmlspecialchars($_POST['name']) . " added to " . number_format($count) . " cities.";
    } else {
        echo "<center>Add A Degree</center><br><form action='staff_school.php?action=add-degree' method='POST'>
            <table>
              <tr>
                <td>
                  <b>Name</b>:
                </td>
                <td>
                  <input type='text' name='name'>
                </td>
              </tr>
              <tr>
                <td>
                  <b>Description</b>:
                </td>
                <td>
                  <textarea name='desc' rows='4' cols='50'></textarea>
                </td>
              </tr>
              <tr>
                <td>
                  <b>Available At</b>:
                </td>
                <td>
                  <select name='city[]' multiple>";

        $get_cities = $db->query("SELECT `cityname`,`cityid` FROM `cities` ORDER BY `cityname` ASC");

        while ($cities = $db->fetch_row($get_cities)) {
            $city_id = $cities['cityid'];
            echo "<option value='$city_id'>{$cities['cityname']}</option>";
        }

        echo "</select>
            </td>
            </tr>
            <tr>
              <td>
                <b>Unlocks</b>:
              </td>
              <td>
                <input type='text' name='unlocks'>
              </td>
            </tr>
          </table>
          <button type='submit'>Add</button>
          </form>";
    }
}



    Please note that I assumed your $db object provides methods like prepare, bind_param, execute, escape, etc. If not, you may need to adapt those parts according to your specific database library.

Link to comment
Share on other sites
smith Explorer

smith

Posted
Posted (edited)

function add_degree($db, $_POST) {
 foreach ($_POST['city'] as $cities) {
   // Use prepared statements to prevent SQL injection
  $sql = $db->prepare("INSERT INTO edu_degrees (`name`, `desc`, `cities`, `unlocks`) VALUES (:name, :desc, :cities, :unlocks)");
  $sql->bindParam(':id', $_POST['name'], PDO::PARAM_STR);
  $sql->bindParam(':desc', $_POST['desc'], PDO::PARAM_STR);
  $sql->bindParam(':cities', $cities, PDO::PARAM_STR); <-- i am not sure about your 'type' here but you can select as you need for validation 
  $sql->bindParam(':colour', $_POST['unlocks'], PDO::PARAM_STR);
  $sql->execute();
 }
}

//chk submit before function

if($_POST['submit] === true){

// you can call like this
  add_degree($db, $_POST)
}

Edited by smith
Link to comment
Share on other sites
rockwood Explorer

rockwood

Posted
Posted (edited)
On 11/20/2023 at 9:21 AM, smith said:

<code>

function add_degree($db, $_POST) {
 foreach ($_POST['city'] as $cities) {
   // Use prepared statements to prevent SQL injection
  $sql = $db->prepare("INSERT INTO edu_degrees (`name`, `desc`, `cities`, `unlocks`) VALUES (:name, :desc, :cities, :unlocks)");
  $sql->bindParam(':id', $_POST['name'], PDO::PARAM_STR);
  $sql->bindParam(':desc', $_POST['desc'], PDO::PARAM_STR);
  $sql->bindParam(':cities', $cities, PDO::PARAM_STR); <-- i am not sure about your 'type' here but you can select as you need for validation 
  $sql->bindParam(':colour', $_POST['unlocks'], PDO::PARAM_STR);
  $sql->execute();
 }
}

//chk submit before function

if($_POST['submit] === true){

// you can call like this
  add_degree($db, $_POST)
}

</code>

you can make it more better

Edited by rockwood
edited
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...