PHP/MySql Code problem

Mysteria

Mysteria

Mysteria

Associate
Joined
10 Dec 2003
Posts
122
Location
Im here, where are you?
I have spent ages going over and over this piece of code and I cannot find where the problem is and was hoping someone could help.

The page is: http://ccgi.vajudd.plus.com/search.php
Its for a university project which will be hosted on uni servers but Im using my Plus.net cgi space for testing.
The problem is the drop down list, it dynamically creates the list correctly but when one is selected and the "submit query" is hit I get the following error:

Fatal error: Call to undefined function: showerror() in /files/home1/vajudd/search.php on line 173

Googling the error merely took me to other pages with same errors-not helpful!
The source code for the drop down box is with the connection file name starred out:

<?php
include '********';
//Do connection stuff
if (!($connection = @ mysql_connect($hostname, $username, $password)))
die("Could not connect");
if (!mysql_select_db($databaseName, $connection))
showerror();

//If the region is empty then display the selection box
if (empty($_GET["typeBrand"]))
{ displaySelection($query, $connection);
}
else
{
displayResults($query, $connection);
}
mysql_close($connection);
function displaySelection($query, $connection)
{
//Create the Query - notice the use of 'distinct'
$query = " SELECT distinct Brand FROM Product";
// Run the query on the DBMS
if (!($result = @ mysql_query ($query, $connection)))
showerror();
// Find out how many rows are available
$rowsFound = @ mysql_num_rows($result);
// If the query has results ...
if ($rowsFound > 0)
{
echo "<p>Please select a brand name from the list below</p>";
//FORM ACTIONS ITSELF
echo "<form action='search.php' method='GET'>";
echo "<p><select name='typeBrand'>";
echo "<option> All</option>";
while ($row = @ mysql_fetch_array($result))
{
echo "<option/>".$row["Brand"];
}
echo "</select>";
}//Rows Found
echo "<p><input type='submit'></p></form>";
}//End of empty region Name

function displayResults($query, $connection)
{
$typeBrand = $_GET["typeBrand"];
$query = "SELECT Name, Description, Type, Interface, UnitPrice, Image FROM Product";

if ($typeBrand != "All")
$query .= " AND Brand = '$typeBrand' ";
$query .= " ORDER BY Name";
// echo $query;
// Run the query on the DBMS
if (!($result = @ mysql_query ($query, $connection)))
showerror();

// Find out how many rows are available
$rowsFound = @ mysql_num_rows($result);

// If the query has results ...
if ($rowsFound > 0)
{
// and start a <table>.
echo "\n<table border=1 cellpadding =10 class=paragraph>\n<tr>" .
"\n\t<th>Name</th>" .
"\n\t<th>Description</th>" .
"\n\t<th>Type</th>" .
"\n\t<th>Interface</th>" .
"\n\t<th>Price (£)</th>" .
"\n\t<th>Image</th>" .
"\n</tr>";

// Fetch each of the query rows
while ($row = @ mysql_fetch_array($result))
{
// Print one row of results
echo "\n<tr>" .
"\n\t<td>" . $row["Name"] . "</td>" .
"\n\t<td>" . $row["Description"] . "</td>" .
"\n\t<td>" . $row["Type"] . "</td>" .
"\n\t<td>" . $row["Interface"] . "</td>" .
"\n\t<td>" . $row["UnitPrice"] . "</td>" .
"\n\t<td><img src=" . $row["Image"] . " /></td>" .
"\n</tr>";
} // end while loop body

// Finish the <table>
echo "\n</table>";
} // end if $rowsFound body

// Report how many rows were found
echo "$rowsFound records found matching your
criteria<br>";
}//End else for region name
?>

Any help would be very much appreciated.
 
I'm not a PHP expert but I recon that it can't find a definition for the showerror() function? Do you need a #include statement or something similar so that it can find the library functions? what happens if you just remove the call to showerror and just display a random text string (like "it's all gone pete tong" or some thing)

HT
 
I had thought that but it doesnt have a problem with the first showerror() function, only the second one. If I do comment out the showerror() bit I get:
" records found matching your criteria"
Im stumped. :(
 
that's because the first sql quesry is succeeding and it's not throwingf an error, the second one is failing, hitting the showerror functon and throwing a wobbley the reason it says "rows returned" is because the $rowsFound variable is empty

where is the showerror() method defined? what should it be doing and why can't it find it?

HT
 
I have never defined a showerror() function, I guessed it was something predefined in php (Im still learning so sorry if what Im saying doesnt make sense). I also guessed that it showed the error because something went wrong with the query and that the problem was not the showerror() function, but it was displaying that as something else was undefined.
 
"Call to undefined function" means the function doesn't exist.

You can check if a function exists in PHP's core by www.php.net/function so, www.php.net/showerror - gives you an error page saying that the function doesn't exist :)

Stick "echo $typeBrand;" somewhere in the code (where it makes sense) to see what it contains and if it contains an expected value, then run the query which is being put together (use something like phpmyadmin or MySQL Administrator to connect to the database) and see what it does.

It looks like no results are being returned which is causing the script to go to the showerror() function, which presumably should be something to display an error message. So you can replace it with:

Code: 
echo "No results found";

Which would probably work just as well, though you might want better error handling than that of couse :)
 
I am officially a numpty. Im looking all over the php for an error....and its the query thats at fault. I had:

SELECT Name, Description, Type, Interface, UnitPrice, Image FROM Product
AND Brand
ORDER BY Name

Which has a glaring error I cannot believe I missed, where is my WHERE and why have I got an AND?!

New code:

$query = "SELECT Name, Description, Type, Interface, UnitPrice, Image FROM Product WHERE";

if ($typeBrand != "All")
$query .= " Brand = '$typeBrand' ";
$query .= " ORDER BY Name";

And it works! Thanks for making me look at the query again, I knew it should be returning some value as the Brand names are read directly from database so non should have 0 values.
*Goes to find her basic SQL code book from first semester* :D
 
Mysteria said:
Code: 
if ($typeBrand != "All")
	  $query .= " Brand = '$typeBrand' ";
Click to expand...
While the code you've posted doesn't really pose much of a security risk, you should make a habit of always checking and sanitising external input in your scripts. $typeBrand comes directly from the GET parameter of the same name, without any checking, allowing a user to potentially insert anything of their choosing straight into your query string.

Have a read of the section about SQL injection in the HG&P PHP security thread, along with the rest of the good coding-practices described within it :).
 
Thank you very much! Another section for my assignment is a report on security in websites...so that thread will prove most useful. Also have added the striptags() function as follows:

$typeBrand = $_GET["typeBrand"];
strip_tags($typeBrand);

Still works so I think I did it right. :D
 
You must log in or register to reply here.
Back
Top Bottom