This shows you the differences between two versions of the page.
— |
get-country-info [2016/05/10 16:00] (current) mh created |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | <code> | ||
+ | <form | ||
+ | name="countrysearchform" | ||
+ | id="countrysearchform" | ||
+ | action="<?php echo $_SERVER['PHP_SELF'];?>" | ||
+ | method="GET"> | ||
+ | | ||
+ | Search: <input name="country_name" type="text" size="30"> | ||
+ | <br> | ||
+ | <p><input type="submit" value="Search"></p> | ||
+ | </form> | ||
+ | <?php | ||
+ | |||
+ | $dbh = mysqli_connect("127.0.0.1", "world", "world", "world"); | ||
+ | |||
+ | $country_name = strtolower($_GET['country_name']); | ||
+ | |||
+ | #$country_name .= ' and Population > 8000000'; | ||
+ | |||
+ | $sth = $dbh->prepare( | ||
+ | 'select Name, Population from country where Name like ?' | ||
+ | ); | ||
+ | |||
+ | $country_name .= '%'; | ||
+ | $sth->bind_param("s", $country_name); | ||
+ | $sth->execute(); | ||
+ | $sth->bind_result($name, $population); | ||
+ | while ($sth->fetch()) { | ||
+ | printf ("%s %s<br>\n", $name, number_format($population)); | ||
+ | } | ||
+ | |||
+ | |||
+ | /* | ||
+ | SQL Injections | ||
+ | |||
+ | $query = sprintf( | ||
+ | 'select Name, Population from country where Name = "%s"', | ||
+ | $country_name); | ||
+ | |||
+ | ## 'select bla from bli where a="'.$a.'" and b = "'.$b.'"'; | ||
+ | ## sprintf 'select bla from bli where a="%s" and b = "%s"', $a, $b; | ||
+ | |||
+ | $result = $dbh->query($query); | ||
+ | |||
+ | $row = $result->fetch_assoc(); | ||
+ | printf ("%s %s<br>\n", $row["Name"], | ||
+ | $row["Population"] | ||
+ | ); | ||
+ | */ | ||
+ | </code> |