Click here to Skip to main content
15,845,273 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
I have two table add_batch and assign_student

By using while loop I display all subject of add_batch table with a static button below all subject.

Now I want to create button in such a way that from assign_student table if student with respect course status is Approved then Approved button will appear and if status is pending then Pending Button will appear.



Please programmers reply as soon as possible. Help me please

What I have tried:

<?php
include 'connect.php';
session_start();
$id=$_SESSION['id']; 

?>

<!DOCTYPE html>
<html lang="en">
<!-- BEGIN HEAD -->
<head>
<?php include 'head.php';?>
<head/>
 <!-- END HEAD -->
<body class="page-header-fixed sidemenu-closed-hidelogo page-content-white page-md header-white white-sidebar-color logo-indigo">
    <div class="page-wrapper">
        <!-- start header -->
        <div class="page-header navbar navbar-fixed-top">
           <?php include 'header.php';?>

        </div>
        <!-- end header --> 
        <!-- start page container -->
        <div class="page-container">
            <!-- start sidebar menu -->
            <?php include 'menu.php';?>
            <!-- end sidebar menu --> 
            <!-- start page content -->
            <div class="page-content-wrapper">
                <div class="page-content-wrapper">
                <div class="page-content">
                    <div class="page-bar">
                         <?php include './breadcrumb.php';?>
                    </div>
                     
		            <div class="row clearfix">

                    <?php

                    if(isset($_POST['submit']))
					{


						$branch_id = mysqli_real_escape_string($conn, $_POST['branch_id']);
						$institute_id = mysqli_real_escape_string($conn, $_POST['institute_id']);
						

						$res=mysqli_query($conn, "SELECT * FROM add_batch WHERE branch_id='$branch_id' && institute_id='$institute_id'");

						$product_count = mysqli_num_rows ($res);

						$course_id = $row['course_id'];
						if ($product_count > 0) {
                      
                      		
								
									while ($row=mysqli_fetch_array($res)) {


						
										?>

									<div class="col-md-6 col-sm-6">
	                        	<form method="POST" action="student.php?page=subscribecourse">
				                        <div class="card">
				                            <div class="panel-body">
				                            	
				                                <h3><?php echo $row['course_name']; ?></h3>

				                                <input type="hidden" name="student_name" value="<?php echo $s_name; ?>">
				                               <input type="hidden" name="institute_id" value="<?php echo $row['institute_id']; ?>">
				                               
				                               <input type="hidden" name="branch_id" value="<?php echo $row['branch_id']; ?>">
				                               
				                               <input type="hidden" name="batch_id" value="<?php echo $batch_id; ?>">
				                               
				                               <input type="hidden" name="course_id" value="<?php echo $course_id; ?>">
				                                 <input type="hidden" name="course_name" value="<?php echo $row['course_name']; ?>">

				                               <input type="hidden" name="student_id" value="<?php echo $s_id; ?>">
				                                <?php

				                                $res1=mysqli_query($conn, "SELECT * FROM assign_student WHERE branch_id='".$branch_id."'");
				                              #$row1=mysqli_fetch_array($res1);
				                               
				                                while ($row1=mysqli_fetch_array($res1)) {

				                               
				                                	if (($course_id == $row1['course_id']) && ($row1['status'] == 'Approved')) {
				                                		# code...
				                                		echo "<button class='btn-button default' type='submit' name='submit'>Taken</button>";
				                                	}
				                                	else
				                                	{
				                                		echo "<button class='btn-button default' type='submit' name='subscribe'>Not Taken</button>";
				                                	}
				                                	
				                               }

				                                ?>
				                              
				                                
				                                
				                           </div>
				                        </div>
				                         </form>
				                    </div>

									<?php

									}
									
								



                      }
                       else
                      {
                      	?>
                      		<div class="col-md-12 col-sm-12">
	                        	
		                        <div class="card">
		                            <div class="panel-body">
		                            	<h3>Sorry! No course found in this branch</h3>
		                            </div>
		                        </div>
		                    </div>
                      	<?php
                      }

					}
			                   
                    
                ?>
                </div>
                </div>
            
                <!-- end page content -->
                 
            </div>
            </div>
            <!-- end page content -->
          
        </div>
        <!-- end page container -->
        <!-- start footer -->  
        <?php include './footer.php';?>
Posted
Updated 5-Jun-18 10:03am
Comments
Member 13812021 5-Jun-18 12:04pm    
When they select a coarse what is taking place? Is there a table with courses that are with associated user? Meaning is there a course table, user table, and then a UserCourses table? Or is there a User table, coarse table, UserToCourse Table?
Member 13783315 6-Jun-18 0:32am    
course table, user table and UserCourse table

1 solution

Escaping user input do not prevent SQL injection:
PHP
$branch_id = mysqli_real_escape_string($conn, $_POST['branch_id']);
$institute_id = mysqli_real_escape_string($conn, $_POST['institute_id']);
$res=mysqli_query($conn, "SELECT * FROM add_batch WHERE branch_id='$branch_id' && institute_id='$institute_id'");

Not a solution to your question, but another problem you have.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
SQL Injection Prevention Cheat Sheet - OWASP[^]
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900