User Tools

Site Tools


get-country-info
<form 
  name="countrysearchform" 
  id="countrysearchform"
  action="<?php echo $_SERVER['PHP_SELF'];?>"
  method="GET">
  
Search: <input name="country_name" type="text" size="30"> 
<br>
<p><input type="submit" value="Search"></p>
</form>    

<?php

$dbh = mysqli_connect("127.0.0.1", "world", "world", "world");

$country_name = strtolower($_GET['country_name']);

#$country_name .= ' and Population > 8000000';

$sth = $dbh->prepare(
'select Name, Population from country where Name like ?'
);

$country_name .= '%';
$sth->bind_param("s", $country_name);
$sth->execute();
$sth->bind_result($name, $population);
while ($sth->fetch()) {
  printf ("%s %s<br>\n", $name, number_format($population));
}


/*
SQL Injections 

$query = sprintf(
'select Name, Population from country where Name = "%s"',
 $country_name);

## 'select bla from bli where a="'.$a.'" and b = "'.$b.'"'; 
## sprintf 'select bla from bli where a="%s" and b = "%s"', $a, $b; 
 
$result = $dbh->query($query);

$row = $result->fetch_assoc();
printf ("%s %s<br>\n", $row["Name"], 
                       $row["Population"]
				  );
*/	
get-country-info.txt · Last modified: 2016/05/10 16:00 by mh