I have been trying to secure my web page for a while now by preventing sql injection. However, now nothing is being displayed on the page at all after I submit my form. Here is my complete code because I don't know where my error is occurring.
<?php
require_once 'db_connect.php';
?>
<head>
<title> Data </title>
<link href = "ss2.css" type = "text/css" rel = "stylesheet" >
</head>
<body>
<h1> Research Center </h1>
<a href = "home.php"> Data Home Page </a>
<ol class = 'instructions'>
<li> Step 1: Please select your first year you want to gather data from. </li>
<li> Step 2: Next, select a second year to create a time interval. </li>
<li> Step 3: Then, select the time of year you want to retrieve data from. </li>
<li> Step 4: Finally, specify a specific regional location. </li>
</ol>
<form action="unemployed2.php" method ="post">
<input type="hidden" name="submitted" value="true" />
<fieldset>
<legend>
Specify Date, Month, and County
</legend>
<p class = 'year'>
<label for="year">
Please Select years: From
</label>
<select name= 'year'>
<option value= ''> </option>
<?php
$query = "select distinct year from unemployed";
$result = $conn->query($query);
while($row = $result->fetch_object()) {
echo "<option value='".$row->year."'>".$row->year."</option>";
}
?>
</select>
</p>
<p class = 'year'>
<label for="year">
To
</label>
<select name= 'year2'>
<option value= ''> </option>
<?php
$query = "select distinct year from unemployed";
$result = $conn->query($query);
while($row = $result->fetch_object()) {
echo "<option value='".$row->year."'>".$row->year."</option>";
}
?>
</select>
</p>
<p>
<label for="month">
Please select a month
<label>
<select name= 'month'>
<option value= ''> </option>
<?php
$query = "select distinct month from unemployed";
$result = $conn->query($query);
while($row = $result->fetch_object()) {
echo "<option value='".$row->month."'>".$row->month."</option>";
}
?>
<option value = "All Months"> All Months </option>
</select>
</p>
<p>
<label for="location">
Please specify a location
</label>
<select name='location'>
<option value= ''> </option>
<option value = 'Fayette'> Fayette County (IN) </option>
<option value = 'Henry'> Henry County (IN) </option>
<option value = 'Randolph'> Randolph County (IN) </option>
<option value = 'Rush'> Rush County (IN) </option>
<option value = 'Union'> Union County (IN) </option>
<option value = 'Wayne'> Wayne County (IN) </option>
<option value = 'INCounties'> Local Indiana Counties </option>
<option value = 'Indiana'> Indiana </option>
<option value = 'Butler'> Butler County (OH) </option>
<option value = 'Darke'> Darke County (OH) </option>
<option value = 'Mercer'> Mercer County (OH) </option>
<option value = 'Preble'> Preble County (OH) </option>
<option value = 'OHCounties'> Local Ohio Counties </option>
<option value = 'Ohio'> Ohio </option>
<option value = 'US'> United States </option>
</select>
</p>
<input type ="submit" />
</fieldset>
</form>
<?php
if (isset($_POST['submitted'])) {
$gYear = $_POST["year"];
$gYear2 = $_POST["year2"];
$gMonth = $_POST["month"];
$array = array('loc1' => 'Fayette', 'loc2' => 'Henry', 'loc3' => 'Randolph',
'loc4' => 'Rush', 'loc5' => 'Union', 'loc6' => 'Wayne',
'loc7' => 'INCounties','loc8' => 'Indiana', 'loc9' => 'Butler', 'loc10' => 'Darke',
'loc11' => 'Mercer', 'loc12' => 'Preble', 'loc13' => 'OHCounties',
'loc14' => 'Ohio', 'loc15' => 'US');
if ($gYear > $gYear2) {
die('ERROR: Your second year cant be a time period before the first year you selected');
}
else {
if (array_key_exists($_POST["location"], $array)) {
$column = $_POST["location"];
}
else {
echo "ERROR";
}
$sql = "SELECT `$column`, `Year`, `Month` FROM unemployed WHERE year BETWEEN ? AND ? and month= ?";
$query = $conn->prepare($sql);
$query->bind_param('sss', $gyear, $gYear2, $gMonth);
$query->execute();
$result = $query->get_result();
echo "<table>";
echo "<tr><th>Year</th><th>Month</th><th>$column</th></tr>";
while ($row = $result->fetch_object()){
echo "<tr><td>";
echo $row->$column;
echo "</td><td>";
echo $row->Year;
echo "</td><td>";
echo $row->Month;
echo "</td></tr>";
}
$query->close();
echo "</table>";
}
} // end of main if statement
?>
</body>
If I had to guess, my error lies within these lines of code because the web page shows ERROR after I push the submit button:
$array = array('loc1' => 'Fayette', 'loc2' => 'Henry', 'loc3' => 'Randolph',
'loc4' => 'Rush', 'loc5' => 'Union', 'loc6' => 'Wayne',
'loc7' => 'INCounties','loc8' => 'Indiana', 'loc9' => 'Butler', 'loc10' => 'Darke',
'loc11' => 'Mercer', 'loc12' => 'Preble', 'loc13' => 'OHCounties',
'loc14' => 'Ohio', 'loc15' => 'US');
else {
if (array_key_exists($_POST["location"], $array)) {
$column = $_POST["location"];
}
else {
echo "ERROR";
}
Does anyone know what my error is? Any help would be greatly appreciated.
add error_reporting(E_ALL); and ini_set("display_errors",1); at the top of your code, and check for an error
One thing that I think is not working is this line of code in your second code block:
if (array_key_exists($_POST["location"], $array)) {
This will never return true, because the values in your select input in your HTML code are not the keys of $array, but the values. So $_POST["location"] will always contain a value in $array, not a key. So array_key_exists will always return false in that line of code.
That means the else-block will be executed, which will cause "ERROR" to be printed.
Did you mean to use in_array($_POST["location"], $array) (PHP Manual) instead, maybe?
From your code ERROR is printed in the else check of: array_key_exists($_POST["location"], $array). Check your database make sure there are no nulls and the values are exactly what is placed in your mapping array $array, keys are case-sensitive.
Also, you don't need an else after a die() statement, as the program has stopped. You can leave your structure like:
if (...) die();
//rest of code
Also try to format properly, or at least stick to a readable structure, e.g.:
function () {
if () {
...
} else {
...
}
return true;
}
You are checking your array of locations for a matching key, but your location is actually a value. You are also repeating your locations twice. I would recommend creating a $locations array at the top of your file, use it to populate your option tags and then also use it for your validation test. This will result in your "array_key_exists" test doing what you expect it to.
<?php
// top
$locations = array(
'Fayette' => 'Fayette Counter (IN)',
'Henry' => 'Henry County (IN)',
'Randolph' => 'Randolph County (IN)',
'Rush' => 'Rush County (IN)',
'Union' => 'Union County (IN)',
'Wayne' => 'Wayne County (IN)',
'INCounties' => 'Local Indiana Counties (IN)',
'Indiana' => 'Indiana',
'Butler' => 'Butler County (OH)',
'Darke' => 'Darke County (OH)',
'Mercer' => 'Mercer County (OH)',
'Preble' => 'Preble County (OH)',
'OHCounties' => 'Local Ohio Counties',
'Ohio' => 'Ohio',
'US' => 'United States'
);
?>
<!-- middle -->
<select name='location'>
<option value= ""> </option>
<?php
foreach($locations as $k => $v){
echo "<option value=\"{$k}\">{$v}</option>";
}
?>
</select>
<?php
// bottom
if (array_key_exists($_POST["location"], $locations)){
$column = $_POST["location"];
} else {
echo "ERROR";
}
?>