Code Explained - PHP

In this article we are going to look at the last three scripts for this application. They deal with viewing the names of staff members who work on a project and adding staff to a project. They will also enable you to remove staff from a project. This article is the conclusion to a seven-part series.

TABLE OF CONTENTS:

By: David Web

Poor Best

Rating:

/ 7

July 14, 2008

print this article

SEARCH DEV SHED

TOOLS YOU CAN USE

Let's take a closer look at the code. The first thing that the code does is check if the project id has been sent over. If so, it checks to see if the project id is actually a number. If it is not, then the user is redirected to the login page:

<?php

include "dbcon.php";

include "functions.php";

if(isset($_GET['pid'])){

//clean pid

if(!is_numeric($_GET['pid'])){

//the value received is not numeric. redirect the user to login

header("location:login.php");

}

If the project id passes the number check, it is cleaned and then used in the query:

//otherwise clean the received value for query use

$cpid = mysql_escape_string($_GET['pid']);

}

The first query is run to get the name of the project that matches the id that was received. If a match is found, the result is stored in the $title variable:

$getname = "SELECT title FROM projects WHERE pid = '".$cpid."'";

$g_result = mysql_query($getname);

if(!$g_result){

echo mysql_error();

}else{

$rowname = mysql_fetch_assoc($g_result);

$title = $row['title'];

}

After checking to see if the form has been submitted, an insert query is executed and the staff details are inserted into the database. The user is then redirected to the main page of the application:

if(isset($_POST['submit'])){

//check vars

$sname=mysql_escape_string($_POST['s_name']);

$p_pid=mysql_escape_string($_POST['p_pid']);

//insert

$insert = "INSERT INTO staff SET name = '".$sname."',";

$insert .= "p_id= '".$p_pid."'";

if(!mysql_query($insert)){

echo mysql_error();

}else{

header("location:main.php");

}