The view staff page lists all the staff members that are involved in a project. It runs a query to retrieve all the names from the staff table that match a particular project id, and then builds a dynamic table based on the result of the table. Below is a screen shot of what the page looks like:

And below is the code that makes up the page:

<?php

include "dbcon.php";

include "functions.php";

if(isset($_GET['pid'])){

//clean pid

if(!is_numeric($_GET['pid'])){

//the value received is not numeric. redirect the user to login

header("location:login.php");

}

//otherwise clean the received value for query use

$cpid = mysql_escape_string($_GET['pid']);

//get project name

$getname = "SELECT title FROM projects WHERE pid = '".$cpid."'";

$g_result = mysql_query($getname);

if(!$g_result){

echo mysql_error()

}else{

$rowname = mysql_fetch_assoc($g_result);

$title = $row['title'];

}

//get the files

$gettaff="SELECT * FROM staff WHERE p_id = '".$cpid."' ORDER BY sid";

$result = mysql_query($gettaff);

if(!$result){

echo mysql_error();

}else{

$num=mysql_num_rows($result);

}

?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml"><!-- InstanceBegin template="/Templates/PM_Main.dwt.php" codeOutsideHTMLIsLocked="false" -->

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<!-- InstanceBeginEditable name="doctitle" -->

<title>Untitled Document</title>

<!-- InstanceEndEditable -->

<!-- InstanceBeginEditable name="head" -->

<!-- InstanceEndEditable -->

<link href="Templates/main.css" rel="stylesheet" type="text/css" />

</head>

<body>

<table width="100%" border="0">

<tr>

<td width="33%">&nbsp;</td>

<td width="28%">&nbsp;</td>

<td width="39%">Logged in: <!-- InstanceBeginEditable name="login" --><? echo $_SESSION['name'];?> | <a href="logout.php">Logout</a><!-- InstanceEndEditable --></td>

</tr>

<tr>

<td colspan="3" bgcolor="#6699CC" class="headertxt">Project Management Software </td>

</tr>

<tr>

<td colspan="3"><!-- InstanceBeginEditable name="main" --> <table width="99%" border="0">

<tr>

<td colspan="2" class="loginheader"><?php echo $title;?> </td>

</tr>

<tr>

<td width="44%">Members of this project: </td>

<td width="56%">&nbsp;</td>

</tr>

<tr>

<td>&nbsp;</td>

<td>&nbsp;</td>

</tr>

<tr>

<td><strong> Name</strong></td>

<td><strong>Action</strong></td>

</tr>

<?php

if($num > 0){

while($row = mysql_fetch_assoc($result)){?>

<tr>

<td><?php echo $row['name']?> </td>

<td><a href="delete_member.php?sid=<?php echo $row['sid']?> & cpid=<?php echo $cpid?> ">Delete</a></td>

</tr>

<?php

}

}else{

?>

<tr>

<td colspan="2"><p>There are no members registered for this project.</p></td>

</tr>

<?php }

?>

</table><!-- InstanceEndEditable --></td>

</tr>

<tr>

<td colspan="3"><!-- InstanceBeginEditable name="nav" --><a href="main.php">View Project List</a> | <a href="admin/login.php">Administrators Corner </a><!-- InstanceEndEditable --></td>

</tr>

<tr>

<td align="right" class="cright" colspan="3">copyright &copy; 2007 PM </td>

</tr>

</table>

</body>

<!-- InstanceEnd --></html>

delete

<?php

include "dbcon.php";

include "functions.php";

$remove = "DELETE FROM staff WHERE sid = '".$_GET['sid']."'";

mysql_query($remove);

header("localtion:view_staff.php?pid=".$_GET['cpid']."");

?>

The code starts by checking to see if the pid is numeric or not. If it is not numeric, we will not be able to run the script at all. If it is numeric, it is escaped and ready to be used in a MySQL query:

<?php

include "dbcon.php";

include "functions.php";

if(isset($_GET['pid'])){

//clean pid

if(!is_numeric($_GET['pid'])){

//the value received is not numeric. redirect the user to login

header("location:login.php");

}

//otherwise clean the received value for query use

$cpid = mysql_escape_string($_GET['pid']);

PHP then runs a query to retrieve the name of the project concerned, and stores the name in a variable called $title:

//get project name

$getname = "SELECT title FROM projects WHERE pid = '".$cpid."'";

$g_result = mysql_query($getname);

if(!$g_result){

echo mysql_error()

}else{

$rowname = mysql_fetch_assoc($g_result);

$title = $row['title'];

}

Finally the query to get the list of staff names that work on the project is queried. The results are then stored in the $num variable:

//get the files

$getstaff="SELECT * FROM staff WHERE p_id = '".$cpid."' ORDER BY sid";

$result = mysql_query($gettaff);

if(!$result){

echo mysql_error();

}else{

$num=mysql_num_rows($result);

}

?>