Mesaje recente

Members
Stats
  • Total Posts: 17786
  • Total Topics: 1234
  • Online Today: 10
  • Online Ever: 233
  • (26 June 2007, 07:28)
Users Online
Users: 0
Guests: 6
Total: 6

Author Topic: Sfaturi în php  (Read 1535 times)

0 Members and 1 Guest are viewing this topic.

Offline lucas21

  • Optimistul
  • Junior
  • **
  • Posts: 69
  • Cookies: 4
Sfaturi în php
« on: 28 December 2007, 19:01 »
Salut. Am următorul cod dintr-un soft ERP.
Code: [Select]
[font=5]<?php

/* $Revision: 1.12 $ */

$PageSecurity 2;

include(&
#39;includes/session.inc&#39;);

$title _(&#39;Search Outstanding Purchase Orders&#39;);

include(&#39;includes/header.inc&#39;);


if (isset($_GET[&#39;SelectedStockItem&#39;])){
$SelectedStockItem=trim($_GET[&#39;SelectedStockItem&#39;]);
} elseif (isset($_POST[&#39;SelectedStockItem&#39;])){
$SelectedStockItem=trim($_POST[&#39;SelectedStockItem&#39;]);
}

if (isset(
$_GET[&#39;OrderNumber&#39;])){
$OrderNumber=trim($_GET[&#39;OrderNumber&#39;]);
} elseif (isset($_POST[&#39;OrderNumber&#39;])){
$OrderNumber=trim($_POST[&#39;OrderNumber&#39;]);
}

if (isset(
$_GET[&#39;SelectedSupplier&#39;])){
$SelectedSupplier=trim($_GET[&#39;SelectedSupplier&#39;]);
} elseif (isset($_POST[&#39;SelectedSupplier&#39;])){
$SelectedSupplier=trim($_POST[&#39;SelectedSupplier&#39;]);
}

echo &
#39;<FORM ACTION="&#39; . $_SERVER[&#39;PHP_SELF&#39;] . &#39;?&#39; . SID . &#39;" METHOD=POST>&#39;;


If ($_POST[&#39;ResetPart&#39;]){
     
unset($SelectedStockItem);
}

If (isset(
$OrderNumber) && $OrderNumber!=&#39;&#39;) {
if (!is_numeric($OrderNumber)){
  echo &#39;<BR><B>&#39; . _(&#39;The Order Number entered&#39;) . &#39; <U>&#39; . _(&#39;MUST&#39;) . &#39;</U> &#39; . _(&#39;be numeric&#39;) . &#39;.</B><BR>&#39;;
  unset ($OrderNumber);
} else {
echo _(&#39;Order Number&#39;) . &#39; - &#39; . $OrderNumber;
}
} else {
If ($SelectedSupplier) {
echo _(&#39;For supplier&#39;) . &#39;: &#39; . $SelectedSupplier . &#39; &#39; . _(&#39;and&#39;) . &#39; &#39;;
echo &#39;<input type=hidden name="SelectedSupplier" value=&#39; . $SelectedSupplier . &#39;>&#39;;
}
If ($SelectedStockItem) {
 echo _(&#39;for the part&#39;) . &#39;: &#39; . $SelectedStockItem . &#39; &#39; . _(&#39;and&#39;) . &#39; <input type=hidden name="SelectedStockItem" value="&#39; . $SelectedStockItem . &#39;">&#39;;
}
}

if (
$_POST[&#39;SearchParts&#39;]){

If ($_POST[&#39;Keywords&#39;] AND $_POST[&#39;StockCode&#39;]) {
echo _(&#39;Stock description keywords have been used in preference to the Stock code extract entered&#39;) . &#39;.&#39;;
}
If ($_POST[&#39;Keywords&#39;]) {
//insert wildcard characters in spaces
$i=0;
$SearchString = &#39;%&#39;;
while (strpos($_POST[&#39;Keywords&#39;], &#39; &#39;, $i)) {
$wrdlen=strpos($_POST[&#39;Keywords&#39;],&#39; &#39;,$i) - $i;
$SearchString=$SearchString substr($_POST[&#39;Keywords&#39;],$i,$wrdlen) . &#39;%&#39;;
$i=strpos($_POST[&#39;Keywords&#39;],&#39; &#39;,$i) +1;
}
$SearchString $SearchStringsubstr($_POST[&#39;Keywords&#39;],$i).&#39;%&#39;;

$SQL "SELECT stockmaster.stockid, 
stockmaster.description, 
SUM(locstock.quantity) AS qoh,  
stockmaster.units, 
SUM(purchorderdetails.quantityord-purchorderdetails.quantityrecd) AS qord 
FROM stockmaster INNER JOIN locstock 
ON stockmaster.stockid = locstock.stockid 
INNER JOIN purchorderdetails 
ON stockmaster.stockid=purchorderdetails.itemcode 
WHERE purchorderdetails.completed=0 
AND stockmaster.description " 
LIKE " &#39;$SearchString&#39; 
AND stockmaster.categoryid=&#39;" 
$_POST[&#39;StockCat&#39;] . "&#39; 
GROUP BY stockmaster.stockid
stockmaster.description
stockmaster.units 
ORDER BY stockmaster.stockid";


 } elseif (
$_POST[&#39;StockCode&#39;]){
$SQL = "SELECT stockmaster.stockid
stockmaster.description
SUM(locstock.quantity) AS qoh
SUM(purchorderdetails.quantityord-purchorderdetails.quantityrecd) AS qord
stockmaster.units 
FROM stockmaster INNER JOIN locstock 
ON stockmaster.stockid locstock.stockid 
INNER JOIN purchorderdetails 
ON stockmaster.stockid=purchorderdetails.itemcode 
WHERE purchorderdetails.completed=
AND stockmaster.stockid " . LIKE . " &#39;%" . $_POST[&#39;StockCode&#39;] . "%&#39; 
AND stockmaster.categoryid=&#39;" . $_POST[&#39;StockCat&#39;] . "&#39; 
GROUP BY stockmaster.stockid
stockmaster.description
stockmaster.units 
ORDER BY stockmaster.stockid";

 } elseif (!
$_POST[&#39;StockCode&#39;] AND !$_POST[&#39;Keywords&#39;]) {
$SQL = "SELECT stockmaster.stockid
stockmaster.description
SUM(locstock.quantity) AS qoh
stockmaster.units
SUM(purchorderdetails.quantityord-purchorderdetails.quantityrecd) AS qord 
FROM stockmaster INNER JOIN locstock 
ON stockmaster.stockid locstock.stockid 
INNER JOIN purchorderdetails 
ON stockmaster.stockid=purchorderdetails.itemcode 
WHERE purchorderdetails.completed=
AND stockmaster.categoryid=&#39;" . $_POST[&#39;StockCat&#39;] . "&#39; 
GROUP BY stockmaster.stockid
stockmaster.description
stockmaster.units 
ORDER BY stockmaster.stockid";
 }

$ErrMsg = _(&#39;No stock items were returned by the SQL because&#39;);
$DbgMsg = _(&#39;The SQL used to retrieve the searched parts was&#39;);
$StockItemsResult = DB_query($SQL,$db$ErrMsg$DbgMsg);
}


/* Not appropriate really to restrict search by date since user may miss older ouststanding orders
$OrdersAfterDate = Date("d/m/Y",Mktime(0,0,0,Date("m")-2,Date("d"),Date("Y")));
*/

if (
$OrderNumber==&#39;&#39; OR !isset($OrderNumber)){

echo _(&#39;order number&#39;) . &#39;: <INPUT type=text name="
OrderNumber" MAXLENGTH =8 SIZE=9>  &#39; . _(&#39;Into Stock Location&#39;) . &#39;:<SELECT name="StockLocation"> &#39;;
$sql = &#39;SELECT loccode, locationname FROM locations&#39;;
$resultStkLocs = DB_query($sql,$db);
while (
$myrow=DB_fetch_array($resultStkLocs)){
if (isset(
$_POST[&#39;StockLocation&#39;])){
if (
$myrow[&#39;loccode&#39;] == $_POST[&#39;StockLocation&#39;]){
echo &#39;<OPTION SELECTED Value="
&#39; . $myrow[&#39;loccode&#39;] . &#39;">&#39; . $myrow[&#39;locationname&#39;];
} else {
echo &#39;<OPTION Value="&#39; . $myrow[&#39;loccode&#39;] . &#39;">&#39; . $myrow[&#39;locationname&#39;];
}
} elseif ($myrow[&#39;loccode&#39;]== $_SESSION[&#39;UserStockLocation&#39;]){
echo &#39;<OPTION SELECTED Value="&#39; . $myrow[&#39;loccode&#39;] . &#39;">&#39; . $myrow[&#39;locationname&#39;];
} else {
echo &#39;<OPTION Value="&#39; . $myrow[&#39;loccode&#39;] . &#39;">&#39; . $myrow[&#39;locationname&#39;];
}
}

echo &#39;</SELECT>  <INPUT TYPE=SUBMIT NAME="SearchOrders" VALUE="&#39; . _(&#39;Search Purchase Orders&#39;) . &#39;">&#39;;
echo &#39;&nbsp;&nbsp;<a href="&#39; . $rootpath . &#39;/PO_Header.php?&#39; .SID . &#39;&NewOrder=Yes">&#39; . _(&#39;Add Purchase Order&#39;) . &#39;</a>&#39;;
}

$SQL=&#39;SELECT categoryid, categorydescription FROM stockcategory ORDER BY categorydescription&#39;;
$result1 DB_query($SQL,$db);

?>


<HR>
<FONT SIZE=1><?php echo _(&#39;To search for purchase orders for a specific part use the part selection facilities below&#39;); ?> </FONT>
<INPUT TYPE=SUBMIT NAME="SearchParts" VALUE="<?php echo _(&#39;Search Parts Now&#39;); ?>">
<INPUT TYPE=SUBMIT NAME="ResetPart" VALUE="<?php echo _(&#39;Show All&#39;); ?>">
<TABLE>
<TR>
<TD><FONT SIZE=1><?php echo _(&#39;Select a stock category&#39;); ?>:</FONT>
<SELECT NAME="StockCat">
<?php
while ($myrow1 DB_fetch_array($result1)) {
if ($myrow1[&#39;categoryid&#39;]==$_POST[&#39;StockCat&#39;]){
echo "<OPTION SELECTED VALUE=&#39;"$myrow1[&#39;categoryid&#39;] . "&#39;>" . $myrow1[&#39;categorydescription&#39;];
} else {
echo "<OPTION VALUE=&#39;"$myrow1[&#39;categoryid&#39;] . "&#39;>" . $myrow1[&#39;categorydescription&#39;];
}
}
?>

</SELECT>
<TD><FONT SIZE=1><?php echo _(&#39;Enter text extracts in the&#39;); ?>  <B><?php echo _(&#39;description&#39;); ?></B>:</FONT></TD>
<TD><INPUT TYPE="Text" NAME="Keywords" SIZE=20 MAXLENGTH=25></TD></TR>
<TR><TD></TD>
<TD><FONT SIZE 3><B><?php echo _(&#39;OR&#39;); ?> </B></FONT><FONT SIZE=1><?php echo _(&#39;Enter extract of the&#39;); ?> <B><?php echo _(&#39;Stock Code&#39;); ?></B>:</FONT></TD>
<TD><INPUT TYPE="Text" NAME="StockCode" SIZE=15 MAXLENGTH=18></TD>
</TR>
</TABLE>

<HR>

<?php

If ($StockItemsResult) {

echo &#39;<TABLE CELLPADDING=2 COLSPAN=7 BORDER=2>&#39;;
$TableHeader  &#39;<TR><TD class="tableheader">&#39; . _(&#39;Code&#39;) . &#39;</TD>
<TD class="tableheader">&#39; . _(&#39;Description&#39;) . &#39;</TD>
<TD class="tableheader">&#39; . _(&#39;On Hand&#39;) . &#39;</TD>
<TD class="tableheader">&#39; . _(&#39;Orders&#39;) . &#39;<BR>&#39; . _(&#39;Outstanding&#39;) . &#39;</TD>
<TD class="tableheader">&#39; . _(&#39;Units&#39;) . &#39;</TD>
</TR>&#39;;
echo $TableHeader;
$j 1;
$k=0//row colour counter

while ($myrow=DB_fetch_array($StockItemsResult)) {

if ($k==1){
echo &#39;<tr bgcolor="#CCCCCC">&#39;;
$k=0;
} else {
echo &#39;<tr bgcolor="#EEEEEE">&#39;;
$k=1;
}

printf("<td><INPUT TYPE=SUBMIT NAME=&#39;SelectedStockItem&#39; VALUE=&#39;%s&#39;</td>
        <td>%s</td>
<td ALIGN=RIGHT>%s</td>
<td ALIGN=RIGHT>%s</td>
<td>%s</td></tr>"
,
$myrow[&#39;stockid&#39;],
$myrow[&#39;description&#39;],
$myrow[&#39;qoh&#39;],
$myrow[&#39;qord&#39;],
$myrow[&#39;units&#39;]);

$j++;
If ($j == 12){
$j=1;
echo $TableHeader;
}
//end of page full new headings if
}
//end of while loop

echo &#39;</TABLE>&#39;;

}
//end if stock search results to show
  
else {

//figure out the SQL required from the inputs available

if (isset($OrderNumber) && $OrderNumber !=&#39;&#39;) {
$SQL = &#39;SELECT purchorders.orderno,
suppliers.suppname,
purchorders.orddate,
purchorders.initiator,
purchorders.requisitionno,
purchorders.allowprint,
suppliers.currcode,
SUM(purchorderdetails.unitprice*purchorderdetails.quantityord) AS ordervalue
FROM purchorders,
purchorderdetails,
suppliers
WHERE purchorders.orderno purchorderdetails.orderno
AND purchorders.supplierno suppliers.supplierid
AND purchorderdetails.completed=0
AND purchorders.orderno=&#39;. $OrderNumber .&#39;
GROUP BY purchorders.orderno,
suppliers.suppname,
purchorders.orddate,
purchorders.initiator,
purchorders.requisitionno,
purchorders.allowprint,
suppliers.currcode&#39;;
} else {

      /* $DateAfterCriteria = FormatDateforSQL($OrdersAfterDate); */

if (isset($SelectedSupplier)) {

if (isset($SelectedStockItem)) {
$SQL "SELECT purchorders.orderno,
suppliers.suppname,
purchorders.orddate,
purchorders.initiator,
purchorders.requisitionno,
purchorders.allowprint,
suppliers.currcode,
SUM(purchorderdetails.unitprice*purchorderdetails.quantityord) AS ordervalue
FROM purchorders,
purchorderdetails,
suppliers
WHERE purchorders.orderno = purchorderdetails.orderno
AND purchorders.supplierno = suppliers.supplierid
AND purchorderdetails.completed=0
AND purchorderdetails.itemcode=&#39;"
$SelectedStockItem ."&#39;
AND purchorders.supplierno=&#39;" 
$SelectedSupplier ."&#39;
AND purchorders.intostocklocation = &#39;"
$_POST[&#39;StockLocation&#39;] . "&#39;
GROUP BY purchorders.orderno,
suppliers.suppname,
purchorders.orddate,
purchorders.initiator,
purchorders.requisitionno,
purchorders.allowprint,
suppliers.currcode";
} else {
$SQL = "SELECT purchorders.orderno,
suppliers.suppname,
purchorders.orddate,
purchorders.initiator,
purchorders.requisitionno,
purchorders.allowprint,
suppliers.currcode,
SUM(purchorderdetails.unitprice*purchorderdetails.quantityord) AS ordervalue
FROM purchorders,
purchorderdetails,
suppliers
WHERE purchorders.orderno purchorderdetails.orderno
AND purchorders.supplierno suppliers.supplierid
AND purchorderdetails.completed=0
AND purchorders.supplierno=&#39;" . $SelectedSupplier ."&#39;
AND purchorders.intostocklocation = &#39;". $_POST[&#39;StockLocation&#39;] . "&#39;
GROUP BY purchorders.orderno,
suppliers.suppname,
purchorders.orddate,
purchorders.initiator,
purchorders.requisitionno,
purchorders.allowprint,
suppliers.currcode";
}
} else { //no supplier selected
if (isset(
$SelectedStockItem)) {
$SQL = "SELECT purchorders.orderno,
suppliers.suppname,
purchorders.orddate,
purchorders.initiator,
purchorders.requisitionno,
purchorders.allowprint,
suppliers.currcode,
SUM(purchorderdetails.unitprice*purchorderdetails.quantityord) AS ordervalue
FROM purchorders,
purchorderdetails,
suppliers
WHERE purchorders.orderno purchorderdetails.orderno
AND purchorders.supplierno suppliers.supplierid
AND purchorderdetails.completed=0
AND purchorderdetails.itemcode=&#39;". $SelectedStockItem ."&#39;
AND purchorders.intostocklocation = &#39;". $_POST[&#39;StockLocation&#39;] . "&#39;
GROUP BY purchorders.orderno,
suppliers.suppname,
purchorders.orddate,
purchorders.initiator,
purchorders.requisitionno,
purchorders.allowprint,
suppliers.currcode";
} else {
$SQL = "SELECT purchorders.orderno,
suppliers.suppname,
purchorders.orddate,
purchorders.initiator,
purchorders.requisitionno,
purchorders.allowprint,
suppliers.currcode,
SUM(purchorderdetails.unitprice*purchorderdetails.quantityord) AS ordervalue
FROM purchorders,
purchorderdetails,
suppliers
WHERE purchorders.orderno purchorderdetails.orderno
AND purchorders.supplierno suppliers.supplierid
AND purchorderdetails.completed=0
AND purchorders.intostocklocation = &#39;". $_POST[&#39;StockLocation&#39;] . "&#39;
GROUP BY purchorders.orderno,
suppliers.suppname,
purchorders.orddate,
purchorders.initiator,
purchorders.requisitionno,
purchorders.allowprint,
suppliers.currcode";
}

} //end selected supplier
} //end not order number selected

$ErrMsg = _(&#39;No orders were returned by the SQL because&#39;);
$PurchOrdersResult = DB_query($SQL,$db,$ErrMsg);

/*show a table of the orders returned by the SQL */

echo &#39;<TABLE CELLPADDING=2 COLSPAN=7 WIDTH=100%>&#39;;
$TableHeader = &#39;<TR><TD class="tableheader">&#39; . _(&#39;Modify&#39;) .
               &#39;</TD><TD class="
tableheader">&#39; . _(&#39;Receive&#39;) .
&#39;</TD><TD class="
tableheader">&#39; . _(&#39;Print&#39;) .
&#39;</TD><TD class="
tableheader">&#39; . _(&#39;Supplier&#39;) .
&#39;</TD><TD class="
tableheader">&#39; . _(&#39;Currency&#39;) .
&#39;</TD><TD class="
tableheader">&#39; . _(&#39;Requisition&#39;) .
&#39;</TD><TD class="
tableheader">&#39; . _(&#39;Order Date&#39;) .
&#39;</TD><TD class="
tableheader">&#39; . _(&#39;Initiator&#39;) .
&#39;</TD><TD class="
tableheader">&#39; . _(&#39;Order Total&#39;) .
&#39;</TD></TR>&#39;;
echo 
$TableHeader;
$j = 1;
$k=0; //row colour counter
while (
$myrow=DB_fetch_array($PurchOrdersResult)) {


if (
$k==1){ /*alternate bgcolour of row for highlighting */
echo &#39;<tr bgcolor="
#CCCCCC">&#39;;
$k=0;
} else {
echo &#39;<tr bgcolor="#EEEEEE">&#39;;
$k++;
}

$ModifyPage $rootpath "/PO_Header.php?" SID "ModifyOrderNumber=" $myrow["orderno"];
$ReceiveOrder $rootpath "/GoodsReceived.php?" SID "PONumber=" $myrow["orderno"];
if ($myrow["allowprint"]==1){
$PrintPurchOrder = &#39;<A target="_blank" HREF="&#39; . $rootpath . &#39;/PO_PDFPurchOrder.php?&#39; . SID . &#39;OrderNo=&#39; . $myrow[&#39;orderno&#39;] . &#39;">&#39; . _(&#39;Print Now&#39;) . &#39;</A>&#39;;
} else {
$PrintPurchOrder = &#39;<FONT COLOR=GREY>&#39; . _(&#39;Printed&#39;) . &#39;</FONT>&#39;;
}
$FormatedOrderDate ConvertSQLDate($myrow[&#39;orddate&#39;]);
$FormatedOrderValue number_format($myrow[&#39;ordervalue&#39;],2);

printf("<td><A HREF=&#39;%s&#39;>%s</A></FONT></td>
        <td><A HREF=&#39;%s&#39;>" 
_(&#39;Receive&#39;) . "</A></td>
<td>%s</td>
<td>%s</td>
<td>%s</FONT></td>
<td>%s</FONT></td>
<td>%s</FONT></td>
<td>%s</FONT></td>
<td ALIGN=RIGHT>%s</FONT></td>
</tr>",
$ModifyPage,
$myrow[&#39;orderno&#39;],
$ReceiveOrder,
$PrintPurchOrder,
$myrow[&#39;suppname&#39;],
$myrow[&#39;currcode&#39;],
$myrow[&#39;requisitionno&#39;],
$FormatedOrderDate,
$myrow[&#39;initiator&#39;],
$FormatedOrderValue);

$j++;
If (
$j == 12){
$j=1;
 echo 
$TableHeader;
}
//end of page full new headings if
}
//end of while loop

echo &#39;</TABLE>&#39;;
}

echo &#39;</form>&#39;;
include(&#39;includes/footer.inc&#39;);
?>

[/font]

Pe lângă faptul că poate căuta o comandă către furnizor după număr sau după denumirea produselor pe care le conţine aş vrea să adaug căutarea după furnizor. Am văzut că în cod se găseşte ceva şi în legătură cu selectarea furnizorului dar din păcate asta se face automat.
Am adăugat pe lângă If ($_POST['Keywords']) (căutarea după o porţiune din denumirea produsului) şi elseif ($_POST['StockCode']) şi un elseif care să caute după numele furnizorului gen elseif ($_POST['SupplierName']) dar e clar că nu e de-ajuns. Cel puţin a devenit clar când am încercat să rulez scriptul şi a dat eroare  ;;) şi după m-am uitat mai bine prin cod. 
Trebuie să menţionez că sunt novice în php aşa că dacă soluţia e prea complexă spuneţi-mi să ştiu să caut pe cineva care să rezolve problema.
Mulţumesc anticipat.

Offline Praetor

  • Green,bad and (not so) ugly ogre
  • Membru
  • ***
  • Posts: 142
  • Cookies: 12
Re: Sfaturi în php
« Reply #1 on: 30 December 2007, 19:32 »
E o gramada de cod acolo, ai putea sa izolezi un pic? Adica sa fie doar ce-ai adaugat tu + poate sql-ul relevant.


Side note: codul ala e plin de gauri la sql injection.

Offline lucas21

  • Optimistul
  • Junior
  • **
  • Posts: 69
  • Cookies: 4
Re: Sfaturi în php
« Reply #2 on: 31 December 2007, 14:32 »
Ok. Let's see.
La început am adăugat câmpul de căutare după numele furnizorului:
Code: [Select]
<TD><FONT SIZE=1><?php echo _(&#39;Enter text extracts in the&#39;); ?>  <B><?php echo _(&#39;description&#39;); ?></B>:</FONT></TD>
<TD><INPUT TYPE="Text" NAME="Keywords" SIZE=20 MAXLENGTH=25></TD></TR>
<TR><TD></TD>
<TD><FONT SIZE 3><B><?php echo _(&#39;OR&#39;); ?> </B></FONT><FONT SIZE=1><?php echo _(&#39;Enter extract of the&#39;); ?> <B><?php echo _(&#39;Stock Code&#39;); ?></B>:</FONT></TD>
<TD><INPUT TYPE="Text" NAME="StockCode" SIZE=15 MAXLENGTH=18></TD></TR>
//Partea introdusă de mine
<TR><TD></TD>
<TD><FONT SIZE=1><?php echo _(&#39;Enter extract of the&#39;); ?> <B><?php echo _(&#39;Supplier Name&#39;); ?></B>:</FONT></TD>
<TD><INPUT TYPE="Text" NAME="SupplierName" SIZE=20 MAXLENGTH=25></TD></TR>
</TABLE>

Apoi am adăugat la criteriile de căutare şi SupplierName sau cel puţin am încercat:
Code: (php) [Select]
if ($_POST['SearchParts']){

If ($_POST['Keywords'] AND $_POST['StockCode']) {
echo _('Stock description keywords have been used in preference to the Stock code extract entered') . '.';
//Căutarea după cuvinte cheie din numele produsului
           If ($_POST['Keywords']) {
//insert wildcard characters in spaces
$i=0;
$SearchString = '%';
while (strpos($_POST['Keywords'], ' ', $i)) {
$wrdlen=strpos($_POST['Keywords'],' ',$i) - $i;
$SearchString=$SearchString . substr($_POST['Keywords'],$i,$wrdlen) . '%';
$i=strpos($_POST['Keywords'],' ',$i) +1;
}
$SearchString = $SearchString. substr($_POST['Keywords'],$i).'%';
                     
                       $SQL = "SELECT stockmaster.stockid,
stockmaster.description,
SUM(locstock.quantity) AS qoh, 
stockmaster.units,
SUM(purchorderdetails.quantityord-purchorderdetails.quantityrecd) AS qord
FROM stockmaster INNER JOIN locstock
ON stockmaster.stockid = locstock.stockid
INNER JOIN purchorderdetails
ON stockmaster.stockid=purchorderdetails.itemcode
WHERE purchorderdetails.completed=0
AND stockmaster.description " . LIKE . " '$SearchString'
AND stockmaster.categoryid='" . $_POST['StockCat'] . "'
GROUP BY stockmaster.stockid,
stockmaster.description,
stockmaster.units
ORDER BY stockmaster.stockid";
//Căutarea după codul produsului. Nu mai pun SQL query pentru că e aproape aceeaşi cu cea de mai sus.
             } elseif ($_POST['StockCode']){
//sql query ...
//Partea adăugată de mine
             } elseif ($_POST['SupplierName']{

                $SQL = "SELECT purchorders.orderno,
     suppliers.suppname,
     purchorders.orddate,
     purchorders.initiator,
     purchorders.requisitionno,
     purchorders.allowprint,
     suppliers.currcode,
     SUM(purchorderdetails.unitprice*purchorderdetails.quantityord) AS ordervalue
FROM purchorders,
     purchorderdetails,
     suppliers
WHERE purchorders.orderno = purchorderdetails.orderno
AND purchorders.supplierno = suppliers.supplierid
AND purchorderdetails.completed=0
AND purchorders.supplierno='" . $SupplierName ."'
AND purchorders.intostocklocation = '". $_POST['StockLocation'] . "'
GROUP BY purchorders.orderno,
      suppliers.suppname,
      purchorders.orddate,
      purchorders.initiator,
      purchorders.requisitionno,
      purchorders.allowprint,
      suppliers.currcode";
             }
   
Sunt aproape sigur că mai trebuie să adaug cod dar nu ştiu exact ce şi cum.

Offline Praetor

  • Green,bad and (not so) ugly ogre
  • Membru
  • ***
  • Posts: 142
  • Cookies: 12
Re: Sfaturi în php
« Reply #3 on: 31 December 2007, 16:41 »
Ai o paranteza lipsa aici
Code: ("php") [Select]
elseif ($_POST['SupplierName'])

variabile aia e definita?
Code: ("php") [Select]
//ar trebui
$SupplierName= mysql_real_escape_string($_POST['SupplierName']);
// end
AND purchorders.supplierno='" . $SupplierName ."'

Ca fapt divers, ORICE intra in compozitia unui SQL query trebuie facut escape la inputul venit de a user. Deci sa pui direct din  $_GET sau $_POST e o mare buba.

Offline lucas21

  • Optimistul
  • Junior
  • **
  • Posts: 69
  • Cookies: 4
Re: Sfaturi în php
« Reply #4 on: 01 January 2008, 00:11 »
E interesant ca spui de vulnerabilitatile astea pentru ca programul nu e scris de mine ci de un englez si un neamt (banuiesc dupa numele lor). E un proiect opensource ce se cheama WebErp si care e folosit de ceva lume. Poate s-au gandit ca utilizatorii companiei care vor folosi acest soft nu au cunostinte destul de avansate pentru asemenea intruziuni. E un program destinat uzului intern si nu accesului din exterior.
In orice caz ai dreptate. Nu poti fi niciodata prea prudent.
Multumesc pentru ajutor. Revin dupa ce testez scriptul.
Si va urez si La multi ani daca tot se apropie ora. :) :drink:

Offline lucas21

  • Optimistul
  • Junior
  • **
  • Posts: 69
  • Cookies: 4
Re: Sfaturi în php
« Reply #5 on: 04 January 2008, 11:09 »
Nu merge şi ştiu de ce. Căutarea după numele sau codul produsului afişează anumite câmpuri din comandă iar cea după furnizor trebuie să afişeze mai multe.
Văd eu ce soluţie găsesc.

Offline lucas21

  • Optimistul
  • Junior
  • **
  • Posts: 69
  • Cookies: 4
Re: Sfaturi în php
« Reply #6 on: 16 January 2008, 19:38 »
Salut. Revin cu o nouă întrebare de noob.
Am un script care afişează un calendar (pus la ataşamente) pe care îl folosesc pentru a introduce data expirării unui produs. Codul folosit pentr a-l afişa este:
Code: [Select]
echo "<TR><TD><script>DateInput('expdate', true, 'DD/MON/YYYY')</script></TD>";unde DateInput este numele scriptului ce afişează calendarul iar 'expdate' este "Name of the hidden form element to store the selected, formatted date". Data expirării trebuie adăugată la un array ($Bundle) ce conţine toate informaţiile despre produsul respectiv.
Partea la care vă cer ajutorul este cea în care trebuie să adaug valoarea lui 'expdate' în arrayul respectiv.
Mulţumesc anticipat!

Offline Praetor

  • Green,bad and (not so) ugly ogre
  • Membru
  • ***
  • Posts: 142
  • Cookies: 12
Re: Sfaturi în php
« Reply #7 on: 16 January 2008, 19:41 »
Ai dat prea putine date. banuiesc ca vrei la submit sa se adauge data aleasa intr-un array de php.

Offline lucas21

  • Optimistul
  • Junior
  • **
  • Posts: 69
  • Cookies: 4
Re: Sfaturi în php
« Reply #8 on: 16 January 2008, 21:04 »
Da. E vorba de acelaşi soft de care am vorbit şi până acum. Există unele produse care vin în loturi (batch/roll/bundle) şi care au anumite trăsături (nr. lotului, cantitate, data expirării). Aşa arată scriptul care preia informaţiile introduse de utilizator (nu ştiu exact care din cele două statements):
Code: (php) [Select]
if ($EditControlled){
foreach ($LineItem->SerialItems as $Bundle){

        echo "<TR><TD><script>DateInput('expdate', true, 'DD/MON/YYYY')</script></TD>";   

echo '<TR><TD valign=top><input type=text name="SerialNo'. $StartAddingAt .'"
value="'.$Bundle->BundleRef.'" size=21  maxlength=20></TD>';

/*if the item is controlled not serialised - batch quantity required so just enter bundle refs
into the form for entry of quantites manually */

if ($LineItem->Serialised==1){
echo '<input type=hidden name="Qty' . $StartAddingAt .'" Value=1></TR>';
} else {
echo '<TD><input type=text name="Qty' . $StartAddingAt .'" size=11
value="'. number_format($Bundle->BundleQty, $LineItem->DecimalPlaces). '" maxlength=10></TR>';
}

$StartAddingAt++;
}
}

for ($i=0;$i < 10;$i++){

echo "<TR><TD><script>DateInput('expdate', true, 'DD/MON/YYYY')</script></TD>";

echo '<TD valign=top><input type=text name="SerialNo'. ($StartAddingAt+$i) .'" size=21  maxlength=20></TD>';

/*if the item is controlled not serialised - batch quantity required so just enter bundle refs
into the form for entry of quantites manually */

if ($LineItem->Serialised==1){
echo '<input type=hidden name="Qty' . ($StartAddingAt+$i) .'" Value=1></TR>';
} else {
echo '<TD valign=top><input type=text name="Qty' . ($StartAddingAt+$i) .'" size=11  maxlength=10></TR>';
}
}
Designul iniţial avea doar două trăsături (numele lotului şi cantitatea) iar eu vreau să adaug data expirării. Din ce am observat e un array - $Bundle - care conţine acele trăsături, trăsături ale căror valori sunt preluate de cheile BundleRef şi BundleQty. Mă gândeam că pentru data expirării trebuie să adaug array-ului cheia BundleExpDate care să preia cumva valoarea acelui 'expdate'.
Şi ăsta e unul din locurile unde m-am împotmolit.

Aşa arată pagina cu câmpurile ce trebuie completate.

Offline lucas21

  • Optimistul
  • Junior
  • **
  • Posts: 69
  • Cookies: 4
Re: Sfaturi în php
« Reply #9 on: 21 January 2008, 22:12 »
Am rezolvat problema oarecum. Nu era un array ci un obiect de fapt iar valoarea calendarului se prelua cu un simplu formular.