Chapter 7 Code - Validating User Input
Try It Out 1
<?
$link = mysql_connect("localhost", "root", "")
or die("Could not connect: " . mysql_error());
mysql_select_db('wiley', $link) or die ( mysql_error());
$peoplesql = "SELECT
*
FROM
`people`
";
$result = mysql_query($peoplesql)
or die("Invalid query: " . mysql_error());
while( $row = mysql_fetch_array( $result , MYSQL_ASSOC )){
$people[ $row['people_id'] ] = $row['people_fullname'];
}
switch( $_GET['action'] ){
case "edit":
$moviesql = "SELECT
*
FROM
`movie`
WHERE
`movie`.`movie_id` = '".$_GET['id']."'
";
$result = mysql_query($moviesql)
or die("Invalid query: " . mysql_error());
$row = mysql_fetch_array( $result , MYSQL_ASSOC );
$movie_name = $row[ 'movie_name' ];
$movie_type = $row[ 'movie_type' ];
$movie_year = $row[ 'movie_year' ];
$movie_leadactor = $row[ 'movie_leadactor' ];
$movie_director = $row[ 'movie_director' ];
break;
default:
$movie_name = "";
$movie_type = "";
$movie_year = "";
$movie_leadactor = "";
$movie_director = "";
break;
}
?>
<html>
<head>
<TITLE><?php echo $_GET['action']?> movie</TITLE>
</head>
<body>
<FORM action="commit.php?action=<?php echo $_GET['action']?>&type=movie&id=<?php
echo $_GET['id']?>" method="post">
<?php
if ( !empty($_GET['error']) ){
echo "<div align=\"center\" style=\"color:#FFFFFF;background-color:#ff0000;
font-weight:bold\">".nl2br(urldecode( $_GET['error']))."</div><br />";
}
?>
<table border=0 width="750" cellspacing=1 cellpadding=3 bgcolor="#353535"
align="center">
<tr>
<td bgcolor="#ffffff" width="30%">
Movie Name
</td>
<td bgcolor="#ffffff" width="70%">
<input type="text" name="movie_name" value="<?php echo $movie_name?>">
</td>
</tr>
<tr>
<td bgcolor="#ffffff">
Movie Type
</td>
<td bgcolor="#ffffff">
<SELECT id="game" name="movie_type" style="width:150px">
<option value="" SELECTED>Select a type...</option>
<?php
$sql = "SELECT
`movietype_id`,
`movietype_label`
FROM
`movietype`
ORDER BY
`movietype_label`
";
$result = mysql_query($sql)
or die("<font color=\"#FF0000\">Query Error</FONT>".mysql_error());
while ( $row = mysql_fetch_array($result) ){
if ( $row['movietype_id'] == $movie_type){
$selected = " SELECTED";
} else {
$selected = "";
}
echo '<OPTION
value="'.$row['movietype_id'].'"'.$selected.'>'.$row['movietype_label'].'</OPTION>'
."\r\n";
}
?>
</SELECT>
</td>
</tr>
<tr>
<td bgcolor="#ffffff">
Movie Year
</td>
<td bgcolor="#ffffff">
<SELECT name="movie_year">
<option value="" SELECTED>Select a year...</option>
<?php
for ($year=date("Y"); $year >= 1970 ;$year--){
if ( $year == $movie_year){
$selected = " SELECTED";
} else {
$selected = "";
}
?>
<option value="<?=$year?>"<?=$selected?>><?=$year?></option>
<?php
}
?>
</SELECT>
</td>
</tr>
<tr>
<td bgcolor="#ffffff">
Lead Actor
</td>
<td bgcolor="#ffffff">
<SELECT name="movie_leadactor">
<option value="" SELECTED>Select an actor...</option>
<?php
foreach( $people as $people_id => $people_fullname ){
if ( $people_id == $movie_leadactor){
$selected = " SELECTED";
} else {
$selected = "";
}
?>
<option value="<?php echo $people_id?>"<?php echo $selected?>><?php
echo $people_fullname?></option>
<?php
}
?>
</SELECT>
</td>
</tr>
<tr>
<td bgcolor="#ffffff">
Director
</td>
<td bgcolor="#ffffff">
<SELECT name="movie_director">
<option value="" SELECTED>Select a director...</option>
<?php
foreach( $people as $people_id => $people_fullname ){
if ( $people_id == $movie_director){
$selected = " SELECTED";
} else {
$selected = "";
}
?>
<option value="<?php echo $people_id?>"<?php echo $selected?>><?php
echo $people_fullname?></option>
<?php
}
?>
</SELECT>
</td>
</tr>
<tr>
<td bgcolor="#ffffff" colspan=2 align="center">
<INPUT type="SUBMIT" name="SUBMIT" value="<?=$_GET['action']?>">
</td>
</tr>
</table>
</FORM>
</body>
</html>
<?php
// COMMIT ADD AND EDITS
$error = '';
$link = mysql_connect("localhost", "root", "")
or die("Could not connect: " . mysql_error());
mysql_select_db('wiley', $link) or die ( mysql_error());
switch( $_GET['action'] ){
case "edit":
switch( $_GET['type'] ){
case "people":
$sql = "UPDATE
`people`
SET
`people_fullname` = '".$_POST['people_fullname']."'
WHERE
`people_id` = '".$_GET['id']."'
";
break;
case "movie":
$movie_name = trim($row[ 'movie_name' ]);
if( empty($movie_name)){
$error .= "Please+enter+a+movie+name%21%0D%0A";
}
if (empty($_POST['movie_type'])){
$error .= "Please+select+a+movie+type%21%0D%0A";
}
if (empty($_POST['movie_year'])){
$error .= "Please+select+a+movie+year%21%0D%0A";
}
if ( empty($error) ){
$sql = "UPDATE
`movie`
SET
`movie_name` = '".$_POST['movie_name']."',
`movie_year` = '".$_POST['movie_year']."',
`movie_type` = '".$_POST['movie_type']."',
`movie_leadactor` = '".$_POST['movie_leadactor']."',
`movie_director` = '".$_POST['movie_director']."'
WHERE
`movie_id` = '".$_GET['id']."'
";
} else {
header( "location:movie.php?action=edit&error=".$error."&id=".$_GET['id'] );
}
break;
}
break;
case "add":
switch( $_GET['type'] ){
case "people":
$sql = "INSERT INTO
`people`
( `people_fullname` )
VALUES
( '".$_POST['people_fullname']."' )
";
break;
case "movie":
$movie_name = trim($row[ 'movie_name' ]);
if( empty($movie_name)){
$error .= "Please+enter+a+movie+name%21%0D%0A";
}
if (empty($_POST['movie_type'])){
$error .= "Please+select+a+movie+type%21%0D%0A";
}
if (empty($_POST['movie_year'])){
$error .= "Please+select+a+movie+year%21%0D%0A";
}
if ( empty($error) ){
$sql = "INSERT INTO
`movie`
( `movie_name` ,
`movie_year` ,
`movie_type` ,
`movie_leadactor` ,
`movie_director` )
VALUES
( '".$_POST['movie_name']."' ,
'".$_POST['movie_year']."' ,
'".$_POST['movie_type']."' ,
'".$_POST['movie_leadactor']."' ,
'".$_POST['movie_director']."' )
";
} else {
header( "location:movie.php?action=add&error=".$error );
}
break;
}
break;
}
if ( isset( $sql ) && !empty( $sql )){
echo "<!--".$sql."-->";
$result = mysql_query( $sql )
or die("Invalid query: " . mysql_error());
?>
<p align="center" style="color:#FF0000">
Done. <a href="index.php">Index</a>
</p>
<?php
}
?>
Try It Out 2
<?php
$link = mysql_connect("localhost", "root", "")
or die("Could not connect: " . mysql_error());
mysql_select_db('wiley2', $link) or die ( mysql_error());
$peoplesql = "SELECT
*
FROM
`people`
";
$result = mysql_query($peoplesql)
or die("Invalid query: " . mysql_error());
while( $row = mysql_fetch_array( $result , MYSQL_ASSOC )){
$people[ $row['people_id'] ] = $row['people_fullname'];
}
switch( $_GET['action'] ){
case "edit":
$moviesql = "SELECT
*
FROM
`movie`
WHERE
`movie`.`movie_id` = '".$_GET['id']."'
";
$result = mysql_query($moviesql)
or die("Invalid query: " . mysql_error());
$row = mysql_fetch_array( $result , MYSQL_ASSOC );
$movie_name = $row[ 'movie_name' ];
$movie_type = $row[ 'movie_type' ];
$movie_year = $row[ 'movie_year' ];
$movie_release = $row[ 'movie_release' ];
$movie_leadactor = $row[ 'movie_leadactor' ];
$movie_director = $row[ 'movie_director' ];
$movie_rating = $row[ 'movie_rating' ];
break;
default:
$movie_name = "";
$movie_type = "";
$movie_year = "";
$movie_release = time();
$movie_leadactor = "";
$movie_director = "";
$movie_rating = "5";
break;
}
?>
<html>
<head>
<TITLE><?php echo $_GET['action']?> movie</TITLE>
</head>
<body>
<FORM action="commit.php?action=<?php echo $_GET['action']?>&type=movie&id=<?php
echo $_GET['id']?>" method="post">
<?php
if ( !empty($_GET['error']) ){
echo "<div align=\"center\" style=\"color:#FFFFFF;background-color:#ff0000;
font-weight:bold\">".nl2br(urldecode( $_GET['error']))."</div><br />";
}
?>
<table border=0 width="750" cellspacing=1 cellpadding=3 bgcolor="#353535"
align="center">
<tr>
<td bgcolor="#ffffff" width="30%">
Movie Name
</td>
<td bgcolor="#ffffff" width="70%">
<input type="text" name="movie_name" value="<?php echo $movie_name?>">
</td>
</tr>
<tr>
<td bgcolor="#ffffff">
Movie Type
</td>
<td bgcolor="#ffffff">
<SELECT id="game" name="movie_type" style="width:150px">
<option value="" SELECTED>Select a type...</option>
<?php
$sql = "SELECT
`movietype_id`,
`movietype_label`
FROM
`movietype`
ORDER BY
`movietype_label`
";
$result = mysql_query($sql)
or die("<font color=\"#FF0000\">Query Error</FONT>".mysql_error());
while ( $row = mysql_fetch_array($result) ){
if ( $row['movietype_id'] == $movie_type){
$selected = " SELECTED";
} else {
$selected = "";
}
echo '<OPTION
value="'.$row['movietype_id'].'"'.$selected.'>'.$row['movietype_label'].'</OPTION>'
."\r\n";
}
?>
</SELECT>
</td>
</tr>
<tr>
<td bgcolor="#ffffff">
Movie Year
</td>
<td bgcolor="#ffffff">
<SELECT name="movie_year">
<option value="" SELECTED>Select a year...</option>
<?php
for ($year=date("Y"); $year >= 1970 ;$year--){
if ( $year == $movie_year){
$selected = " SELECTED";
} else {
$selected = "";
}
?>
<option value="<?php echo $year?>"<?php echo $selected?>><?php echo
$year?></option>
<?php
}
?>
</SELECT>
</td>
</tr>
<tr>
<td bgcolor="#ffffff">
Lead Actor
</td>
<td bgcolor="#ffffff">
<SELECT name="movie_leadactor">
<option value="" SELECTED>Select an actor...</option>
<?php
foreach( $people as $people_id => $people_fullname ){
if ( $people_id == $movie_leadactor){
$selected = " SELECTED";
} else {
$selected = "";
}
?>
<option value="<?php echo $people_id?>"<?php echo $selected?>><?php
echo $people_fullname?></option>
<?php
}
?>
</SELECT>
</td>
</tr>
<tr>
<td bgcolor="#ffffff">
Director
</td>
<td bgcolor="#ffffff">
<SELECT name="movie_director">
<option value="" SELECTED>Select a director...</option>
<?php
foreach( $people as $people_id => $people_fullname ){
if ( $people_id == $movie_director){
$selected = " SELECTED";
} else {
$selected = "";
}
?>
<option value="<?php echo $people_id?>"<?php echo $selected?>><?php
echo $people_fullname?></option>
<?php
}
?>
</SELECT>
</td>
</tr>
<tr>
<td bgcolor="#ffffff" width="30%">
Movie release date (dd-mm-yyyy)
</td>
<td bgcolor="#ffffff" width="70%">
<input type="text" name="movie_release" value="<?=date( "d-m-Y" ,
$movie_release )?>">
</td>
</tr>
<tr>
<td bgcolor="#ffffff" width="30%">
Movie rating (0 to 10)
</td>
<td bgcolor="#ffffff" width="70%">
<input type="text" name="movie_rating" value="<?=$movie_rating?>">
</td>
</tr>
<tr>
<td bgcolor="#ffffff" colspan=2 align="center">
<INPUT type="SUBMIT" name="SUBMIT" value="<?=$_GET['action']?>">
</td>
</tr>
</table>
</FORM>
</body>
</html>
<?php
// COMMIT ADD AND EDITS
$error = '';
$link = mysql_connect("localhost", "root", "")
or die("Could not connect: " . mysql_error());
mysql_select_db('wiley2', $link) or die ( mysql_error());
switch( $_GET['action'] ){
case "edit":
switch( $_GET['type'] ){
case "people":
$sql = "UPDATE
`people`
SET
`people_fullname` = '".$_POST['people_fullname']."'
WHERE
`people_id` = '".$_GET['id']."'
";
break;
case "movie":
$movie_rating = trim($_POST['movie_rating']);
if ( !is_numeric ( $movie_rating )){
$error .= "Please+enter+a+numeric+rating+%21%0D%0A";
} else {
if ( $movie_rating < 0 || $movie_rating > 10 ){
$error .= "Please+enter+a+rating+between+0+and+10%21%0D%0A";
}
}
if ( !ereg ("([0-9]{2})-([0-9]{2})-([0-9]{4})",
$_POST['movie_release'] , $reldatepart) ){
$error .= "Please+enter+a+date+with+the+dd-mm-yyyy+format%21%0D%0A";
} else {
$movie_release = @mktime ( 0, 0, 0, $reldatepart['2'],
$reldatepart['1'], $reldatepart['3']);
if ( $movie_release == '-1' ){
$error .= "Please+enter+a+real+date+with+the+dd-mm-yyyy+format%21%0D%0A";
}
}
$movie_name = trim($_POST[ 'movie_name' ]);
if( empty($movie_name)){
$error .= "Please+enter+a+movie+name%21%0D%0A";
}
if (empty($_POST['movie_type'])){
$error .= "Please+select+a+movie+type%21%0D%0A";
}
if (empty($_POST['movie_year'])){
$error .= "Please+select+a+movie+year%21%0D%0A";
}
if ( empty($error) ){
$sql = "UPDATE
`movie`
SET
`movie_name` = '".$_POST['movie_name']."',
`movie_year` = '".$_POST['movie_year']."',
`movie_release` = '$movie_release',
`movie_type` = '".$_POST['movie_type']."',
`movie_leadactor` = '".$_POST['movie_leadactor']."',
`movie_director` = '".$_POST['movie_director']."',
`movie_rating` = '$movie_rating'
WHERE
`movie_id` = '".$_GET['id']."'
";
} else {
header( "location:movie.php?action=edit&error=".$error."&id=".$_GET['id'] );
}
break;
}
break;
case "add":
switch( $_GET['type'] ){
case "people":
$sql = "INSERT INTO
`people`
( `people_fullname` )
VALUES
( '".$_POST['people_fullname']."' )
";
break;
case "movie":
$movie_rating = trim($_POST['movie_rating']);
if ( !is_numeric ( $movie_rating )){
$error .= "Please+enter+a+numeric+rating+%21%0D%0A";
} else {
if ( $movie_rating < 0 || $movie_rating > 10 ){
$error .= "Please+enter+a+rating+between+0+and+10%21%0D%0A";
}
}
$movie_release = trim($_POST['movie_release']);
if ( !ereg ("([0-9]{2})-([0-9]{2})-([0-9]{4})", $movie_release ,
$reldatepart) || empty( $movie_release )){
$error .= "Please+enter+a+date+with+the+dd-mm-yyyy+format%21%0D%0A";
} else {
$movie_release = @mktime ( 0, 0, 0, $reldatepart['2'],
$reldatepart['1'], $reldatepart['3']);
if ( $movie_release == '-1' ){
$error .= "Please+enter+a+real+date+with+the+dd-mm-yyyy+format%21%0D%0A";
}
}
$movie_name = trim($row[ 'movie_name' ]);
if( empty($movie_name)){
$error .= "Please+enter+a+movie+name%21%0D%0A";
}
if (empty($_POST['movie_type'])){
$error .= "Please+select+a+movie+type%21%0D%0A";
}
if (empty($_POST['movie_year'])){
$error .= "Please+select+a+movie+year%21%0D%0A";
}
if ( empty($error) ){
$sql = "INSERT INTO
`movie`
( `movie_name` ,
`movie_year` ,
`movie_release` ,
`movie_type` ,
`movie_leadactor` ,
`movie_director` ,
`movie_rating`)
VALUES
( '".$_POST['movie_name']."' ,
'".$_POST['movie_year']."' ,
'$movie_release'
'".$_POST['movie_type']."' ,
'".$_POST['movie_leadactor']."' ,
'".$_POST['movie_director']."',
'$movie_rating' )
";
} else {
header( "location:movie.php?action=add&error=".$error );
}
break;
}
break;
}
if ( isset( $sql ) && !empty( $sql )){
echo "<!--".$sql."-->";
$result = mysql_query( $sql )
or die("Invalid query: " . mysql_error());
?>
<p align="center" style="color:#FF0000">
Done. <a href="index.php">Index</a>
</p>
<?php
}
?>