Merge branch 'master' of gitlab.doc.gold.ac.uk:jbowe021/record-stor

addded data normalisation/validation

Merge branch 'master' of gitlab.doc.gold.ac.uk:jbowe021/record-stor
addded data normalisation/validation
412a4f73 · Jasper Bower · 3ccbe3b4 · e7db9afc · 412a4f73 · 412a4f73
Commit 412a4f73 authored 9 years ago by Jasper Bower
--- a/sql/record-store.sql
+++ b/sql/record-store.sql
@@ -59,6 +59,7 @@ CREATE TABLE orderline (
 	ON DELETE CASCADE
 ) ENGINE=InnoDB;

+<<<<<<< HEAD
 CREATE TABLE inventory (
 	stock INT unsigned DEFAULT 0,
 	record_ean CHAR(8),
@@ -66,3 +67,5 @@ CREATE TABLE inventory (
 	FOREIGN KEY (record_ean)
 		REFERENCES record (ean)
 ) ENGINE=InnoDB;
+=======
+>>>>>>> e7db9afc323b6d2b95a066ca0f999896d2b00029
--- a/views/add-record-insecure.php
+++ b/views/add-record-insecure.php
 <?php

+<<<<<<< HEAD
 $content = "<h1>Add record to database</h1>";
+=======
+$content = "<h1>Add a record</h1>";
+>>>>>>> e7db9afc323b6d2b95a066ca0f999896d2b00029

 $action = $_SERVER["PHP_SELF"]."?page=add-record";


--- a/views/add-record.php
+++ b/views/add-record.php
 <?php

+<<<<<<< HEAD
 $content = "<h1>Add record to database</h1>";
+=======
+$content = "<h1>Add a record</h1>";
+
+>>>>>>> e7db9afc323b6d2b95a066ca0f999896d2b00029
 $action = htmlspecialchars($_SERVER["PHP_SELF"]."?page=add-record");

 $sql = "SELECT id, first_name, last_name 
        FROM artist
+<<<<<<< HEAD
        ORDER BY last_name";
+=======
+	    ORDER BY last_name";
+>>>>>>> e7db9afc323b6d2b95a066ca0f999896d2b00029

 $result = mysqli_query($link, $sql);

@@ -21,10 +30,17 @@ if ($result === false) {
 }

 $form_html = "<form action='".$action."' method='POST'>
+<<<<<<< HEAD
        <fieldset>
            <label for='ean'>EAN (required):</label>
            <input type='text' name='ean'/>
        </fieldset>
+=======
+		<fieldset>
+		    <label for='ean'>EAN (required):</label>
+		    <input type='text' name='ean'/>
+		</fieldset>
+>>>>>>> e7db9afc323b6d2b95a066ca0f999896d2b00029
                <fieldset>
                    <label for='title'>Title:</label>
                    <input type='text' name='title' />
@@ -49,10 +65,13 @@ $form_html = "<form action='".$action."' method='POST'>
                    <label for='price'>Price (&pound;):</label>
                    <input type='text' name='price' placeholder='00.00' />
                </fieldset>
+<<<<<<< HEAD
                <fieldset>
                    <label for='price'>Stock:</label>
                    <input type='text' name='stock' placeholder='0' />
                </fieldset>
+=======
+>>>>>>> e7db9afc323b6d2b95a066ca0f999896d2b00029
                <button type='submit'>Submit</button>
              </form>";

@@ -61,6 +80,7 @@ $content .= $form_html;
 function clean_input($data) {
  $data = trim($data); 
  $data = stripslashes($data); 
+<<<<<<< HEAD
  $data = htmlspecialchars($data); 
  return $data;
 }
@@ -95,4 +115,34 @@ if ($_SERVER["REQUEST_METHOD"] == "POST") {

    }
    echo($content);
+=======
+  $data = htmlspecialchars($data);
+  return $data;
+}
+
+$title = $artist_id = $price = $year = $genre = "";
+
+if ($_SERVER["REQUEST_METHOD"] == "POST") {
+	$ean = mysqli_real_escape_string($link, clean_input($_POST["ean"]));
+	$title =  mysqli_real_escape_string($link, clean_input($_POST["title"]));
+	$artist_id =  mysqli_real_escape_string($link, clean_input($_POST["artist_id"]);
+	$genre =  mysqli_real_escape_string($link, clean_input($_POST["genre"]));
+	$year =  mysqli_real_escape_string($link, clean_input($_POST["year"]));
+	$price =  mysqli_real_escape_string($link, clean_input($_POST["price"]));
+
+	$sql = sprintf("INSERT INTO record (ean, title, artist_id, genre, year, price)
+		VALUES ('%s', '%s', %d, '%s', %d, %f)", $ean, $title, $artist_id, $genre, $year, $price);
+
+	$result = mysqli_query($link, $sql);
+
+	if ($result === false) {
+		echo mysqli_error($link);
+	} else {
+		$content .= "Record successfully added to database.";
+	}
+
+    }
+    echo($content);
+
+>>>>>>> e7db9afc323b6d2b95a066ca0f999896d2b00029
 ?>