boionfire81 Posted November 12 Share Posted November 12 (edited) Ok. I'm rewriting the education portion. I'm trying to use the multiselect for the city to add it to. But simply adding [] to the select box name throws a 500 error. Here's the code: function add_degree(){ global $db,$ir,$h; if($_SERVER['REQUEST_METHOD'] === 'POST'){ $count=0; foreach($_POST['city'] as $cities){ $db->query("INSERT INTO `edu_degrees` VALUES('','{$_POST['name']}','{$_POST['desc']}','{$cities}','{$_POST['unlocks']}')"); $count=$count+1; } echo $_POST['name']." added to ".number_format($count)." cities."; }else{ echo "<center>Add A Degree</center><br><form action='staff_school.php?action=add-degree' method='POST'> <table> <tr> <td> <b>Name</b>: </td> <td> <input type='text' name='name'> </td> </tr> <tr> <td> <b>Description</b>: </td> <td> <textarea name='desc' rows='4' cols='50'></textarea> </td> </tr> <tr> <td> <b>Available At</b>: </td> <td> <select name='city[]' multiple>"; $get_cities=$db->query("SELECT `cityname`,`cityid` FROM `cities` ORDER BY `cityname` ASC"); while($cities=$db->fetch_row($get_cities)){ $city_id=$cities['cityid']; echo "<option value='$city_id'>{$cities['cityname']}</option>"; } echo "</select> </td> </tr> <tr> <td> <b>Unlocks</b>: </td> <td> <input type='text' name='unlocks'> </td> </tr> </table> <button type='submit'>Add</button> </form>"; } } Edited November 12 by boionfire81 Quote Link to comment Share on other sites More sharing options...
gamble Posted November 13 Share Posted November 13 (edited) Check your php error_log file. The error will be there and if you can figure it out from there post it here and we can help a bit better With little to no information to go off it'll be pretty hard to know exactly what went wrong without combing through it character my character to see Edited November 13 by gamble Typo Quote Link to comment Share on other sites More sharing options...
corruptcity || skalman Posted November 13 Share Posted November 13 I asked chatgpt and it came back with this Your code appears mostly fine, but there are a few points to consider and improve: SQL Injection Vulnerability: You should avoid directly inserting user inputs into SQL queries to prevent SQL injection attacks. Instead, use prepared statements or at least sanitize the inputs. Error Handling: It's good practice to include error handling in your database operations to catch and handle any potential errors that may occur during execution. Here's an updated version of your code with these improvements: function add_degree() { global $db, $ir, $h; if ($_SERVER['REQUEST_METHOD'] === 'POST') { $count = 0; // Use prepared statements to prevent SQL injection $stmt = $db->prepare("INSERT INTO `edu_degrees` VALUES('',?,?,?,?)"); foreach ($_POST['city'] as $cities) { // Sanitize inputs before using in the query $name = $db->escape($_POST['name']); $desc = $db->escape($_POST['desc']); $unlocks = $db->escape($_POST['unlocks']); // Bind parameters and execute the statement $stmt->bind_param('ssss', $name, $desc, $cities, $unlocks); $stmt->execute(); $count++; } // Close the prepared statement $stmt->close(); echo htmlspecialchars($_POST['name']) . " added to " . number_format($count) . " cities."; } else { echo "<center>Add A Degree</center><br><form action='staff_school.php?action=add-degree' method='POST'> <table> <tr> <td> <b>Name</b>: </td> <td> <input type='text' name='name'> </td> </tr> <tr> <td> <b>Description</b>: </td> <td> <textarea name='desc' rows='4' cols='50'></textarea> </td> </tr> <tr> <td> <b>Available At</b>: </td> <td> <select name='city[]' multiple>"; $get_cities = $db->query("SELECT `cityname`,`cityid` FROM `cities` ORDER BY `cityname` ASC"); while ($cities = $db->fetch_row($get_cities)) { $city_id = $cities['cityid']; echo "<option value='$city_id'>{$cities['cityname']}</option>"; } echo "</select> </td> </tr> <tr> <td> <b>Unlocks</b>: </td> <td> <input type='text' name='unlocks'> </td> </tr> </table> <button type='submit'>Add</button> </form>"; } } Please note that I assumed your $db object provides methods like prepare, bind_param, execute, escape, etc. If not, you may need to adapt those parts according to your specific database library. Quote Link to comment Share on other sites More sharing options...
smith Posted November 20 Share Posted November 20 (edited) function add_degree($db, $_POST) { foreach ($_POST['city'] as $cities) { // Use prepared statements to prevent SQL injection $sql = $db->prepare("INSERT INTO edu_degrees (`name`, `desc`, `cities`, `unlocks`) VALUES (:name, :desc, :cities, :unlocks)"); $sql->bindParam(':id', $_POST['name'], PDO::PARAM_STR); $sql->bindParam(':desc', $_POST['desc'], PDO::PARAM_STR); $sql->bindParam(':cities', $cities, PDO::PARAM_STR); <-- i am not sure about your 'type' here but you can select as you need for validation $sql->bindParam(':colour', $_POST['unlocks'], PDO::PARAM_STR); $sql->execute(); } } //chk submit before function if($_POST['submit] === true){ // you can call like this add_degree($db, $_POST) } Edited November 20 by smith Quote Link to comment Share on other sites More sharing options...
rockwood Posted November 21 Share Posted November 21 (edited) On 11/20/2023 at 9:21 AM, smith said: <code> function add_degree($db, $_POST) { foreach ($_POST['city'] as $cities) { // Use prepared statements to prevent SQL injection $sql = $db->prepare("INSERT INTO edu_degrees (`name`, `desc`, `cities`, `unlocks`) VALUES (:name, :desc, :cities, :unlocks)"); $sql->bindParam(':id', $_POST['name'], PDO::PARAM_STR); $sql->bindParam(':desc', $_POST['desc'], PDO::PARAM_STR); $sql->bindParam(':cities', $cities, PDO::PARAM_STR); <-- i am not sure about your 'type' here but you can select as you need for validation $sql->bindParam(':colour', $_POST['unlocks'], PDO::PARAM_STR); $sql->execute(); } } //chk submit before function if($_POST['submit] === true){ // you can call like this add_degree($db, $_POST) } </code> you can make it more better Edited November 21 by rockwood edited Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.