3
I have a problem that depending on the selected text in the first check box it does not load the years relative to it in the database. Only when the text loaded in the first box has no space jquery works.
*Follow the file with the checkboxes "gera_html.php"*
<html>
<head>
<title>Gerador Planos de Ensino</title>
<link rel="stylesheet" media="screen" href="./css/styles.css" >
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
<script src="jquery-1.3.2.min.js" type="text/javascript"></script>
<script src="./js/ver_selects.js" type="text/javascript">
</script>
<script type="text/javascript">
$(document).ready(function(){
$('#departamentos').change(function(){
$('#anos').load('anos.php?departamentos='+$('#departamentos').val() );
});
});
</script>
</head>
<?php
include "valida_cookies.inc";
require("connect.php");
?>
<body>
<form class="cad_admin" method="GET" action="anos.php" autocomplete="on" >
<ul>
<h2>Gerador Planos de Ensino</h2>
<li>
<li><label>Escolha um Departamento</label>
<select name="departamentos" id="departamentos" >
<?php
require("connect.php");
$depto_result=mysql_query("SELECT DISTINCT DepartamentoDoResponsavel FROM responsavel ORDER BY DepartamentoDoResponsavel ASC");
echo "<option value='00'>".'Escolha um departamento'."</option>";
while($row = mysql_fetch_array($depto_result)){
echo "<option>".$row['DepartamentoDoResponsavel']."</option>";
}
mysql_close();
?>
</select></li>
</select></li>
<li><label>Ano</label>
<select name="anos" id="anos">
<option value="00">Escolha um Ano</option>
</select></li>
<li>
<button class="submit" type="submit">Gerar</button>
</li>
</li>
</ul>
</form>
</body>
</html>
And here the years.php being called in jquery
$departamento = $_GET['departamentos'];
echo $departamento;
require('connect.php');
$sql = "SELECT DISTINCT AnoDeAplicacao FROM planodeensino
WHERE planodeensino.DepartamentoPorExtenso = '$departamento'";
$result = mysql_query($sql);
echo "<option value='0'>".'Escolha um Ano'."</option>";
while($linha = mysql_fetch_array($result) ){
echo "<option>".$linha['AnoDeAplicacao']."</option>";
}
mysql_close();
?>
If you do
echo $sql;
in theanos.php
what gives you?– Sergio
Ever tried to give a
trim()
in his$('#departamentos').val()
?– Paulo Roberto Rosa
Please fix that code, if not:
?departamentos=';DROP+TABLE+planodeensino;--
– Gustavo Rodrigues
I agree, make some treatment in the code or use PDO to avoid problems with SQL Injection.
– Diego Lopes Lima
@Gustavorodrigues: surely the code is very vulnerable and this needs to be handled, but your specific example is harmless because the command mysql_query of the (obsolete) PHP mysql extension only runs one query at a time (what comes after the semicolon is ignored)
– J. Bruni
The $sql variable is thus SELECT DISTINCT WHERE planodeensino.Departamentoporextenso = 'MECÂNICA' if you have used echo
– user4725
I’m trying to figure this out before I switch to PDO, thanks for your concern.
– user4725
I didn’t know this: it’s been a long time since I used this extension. Anyway it’s best to avoid.
– Gustavo Rodrigues
Your code may even ignore something after the comma point, but it won’t ignore something like
' OR 1=1 \
. If this will display your entire table on a page or if it will allow the person to file with wrong password, it is still a problem. Bad things can still happen even if you useDROP TABLE
– Emerson Rocha