php code within value

[dcr33]

Hi
I can't understand the following code

HTML Code:

<input type="text" name="eid" value="<?php echo $eid ?>" />

at line 12 in the following program-
emp_search.php

PHP Code:

<html>
<head>
<title>Search Application</title>
<!-- Program to accept an employee id from user & show the emp name & salary.If user given emp id doesn't exist in the table,then the program should display proper message -->
</head>
<body>
<center>
<form action="emp_search.php" method="post">
Employee ID<input type="text" name="eid" value="<?php echo $eid ?>" />
<input type="submit" value="search" />
</form>
<?php
$eid=$_REQUEST['eid'];

if(isset($eid))
{
echo "<hr>";
$host="localhost";
$user="root";
$passwd="";
$con=mysql_connect($host,$user,$passwd);
if(!$con)
{
die('Error:'.mysql_error());
}
mysql_select_db('db1',$con)
 or die('Error:'.mysql_error());
$sql="select ename,salary from emp where emp_id='$eid'";
$result=mysql_query($sql,$con);
if($rec=mysql_fetch_array($result))
{
$enm=$rec[0];
$sal=$rec['salary'];
echo "Employee Name:$enm <br/>" ;
echo "Monthly Salary:$sal <br/>" ;
}
else
{
echo " $eid is an Invalid Employee ID <br/>";
}
mysql_close($con);
}
?>
</center>
</body>
</html>

Why do we use

PHP Code:

echo $eid 


instead of giving any value ?
e.g. we could have written -

HTML Code:

Employee ID<input type="text" name="eid" value="Hello World" />

instead of -

HTML Code:

Employee ID<input type="text" name="eid" value="<?php echo $eid ?>" />

I find that there is no change in output if I change "<?php echo $eid ?>" to " Hi" or "Hello World" etc etc.
Then why the author of this program used that line of code?
Please can anyone explain to me ?

[henda]

In response to you're question. There can be many reasons why we use a variable for an input's value, over a hard coded value.

The problem in understanding is the example you provided is a poor example of a program and has many issues with it.

The input is using an undeclared variable. Unless there is a value assigned to $eid before it is displayed/used then the results are not going to be as desired.

For this reason I'd suggest removing the following code:

PHP Code:

$eid=$_REQUEST['eid']; 


from line 13 and placing it somewhere before your form. (Don't forget to wrap it with opening and closing PHP tags)

Then i'd suggest filtering/validating this variable as it involves a user input communicating with the database. Unvalidated/filtered input is dangerous, any and every piece of user input that is passed to the database should be validated to prevent SQL injection.

For this reason we may want to assign a dynamic value '$eid' to the input value. Lets say our user mistypes the input in the field for whatever reason and it doesnt return the desired result. Setting the form input value to that of which was previously submited is useful in that if it's only say the last character which was incorrect. The end user would only have to change 1 character as opposed to retyping the whole thing.

To be honest there are too many reasons one may do so to explain. It all depends on the application's requirements and the authors intentions. Using harcoded values is something I always try to avoid where possible.

Anyways I had a little tidy up of the code example you provided and hope you are better able to understand it now.

PHP Code:

<?php
/* you may wish to change $_REQUEST to post it's entirely up to you 
 * if the request is made store the data in a variable safely
 * using $_REQUEST by default returns the value of $_POST $_GET and $_COOKIE
 **/
if(isset($_REQUEST['eid'])) $eid = addslashes($_REQUEST['eid']);
?>
<html>
<head>
<title>Search Application</title>
</head>
<body>
<center>
<form action="emp_search.php" method="post" enctype="multipart/form-data">
Employee ID<input type="text" name="eid" value="<?php echo $eid ?>" />
<input type="submit" value="search" />
</form>
<?php

if(isset($eid)){
    echo "<hr>";
    $host="localhost";
    $user="root";
    $passwd="";
    if(!mysql_connect($host,$user,$passwd)) die('Error:'.mysql_error()); 
    
    mysql_select_db('db1',$con) or die('Error:'.mysql_error());
    
    $sql="select ename,salary from emp where emp_id='$eid'";
    
    $result=mysql_query($sql,$con);
    
    if($rec=mysql_fetch_array($result)) {
        $enm=$rec[0];
        $sal=$rec['salary'];
        echo "Employee Name:".$enm."<br/>" ;
        echo "Monthly Salary:".$sal."<br/>" ;
    }
    else echo " $eid is an Invalid Employee ID <br/>";
    
    mysql_close($con);
}
?>
</center>
</body>
</html>

If you are using this program in a production environment i'd strongly discourage it. I can't imagine any employee would be to happy about information/data regarding their salary being presented in such a weak/unsecure application.

Try taking a look at W3 Schools theres a good selection of PHP beginner stuff in there that should answer allot of your problems.

Hope this helps answer your question.

[dcr33]

I couldn't understand what you said.
Can you pls elucidate?
You didn't answer my query. If it is already set in $_REQUEST then why we use it again?

[henda]

I've edited my previous post to explain in more depth. Let me know if you still do not understand and i'll do my best to help you.

[traq]

If your question is why you might want to print a variable in that field (instead of simply writing the actual value), the answer (as henda described) is that it allows you to dynamically pass different values as needed.

If that's not your question, please elaborate.

...Try taking a look at W3 Schools theres a good selection of PHP beginner stuff in there that should answer allot of your problems.

I would recommend the opposite - w3schools is a poor resource for web design in general, and php specifically (more).

I highly recommend visiting PHP's official site for info about the language.

[henda]

I would recommend the opposite - w3schools is a poor resource for web design in general, and php specifically (more).

I highly recommend visiting PHP's official site for info about the language.

I used W3Schools back when I was learning the basics. The only real misconceptions regarding PHP there is the security risk involved, when not filtering/validating data in mysql queries and file uploads. That and allot of php's features arent explained in W3Schools.

For people with no background knowledge in programming, PHP.net can appear quite daunting at first.
Which is why I usually recomend W3Schools for the really simple stuff when starting out. As it's spoon fed to the user in a really simple manor. For explaining something as simple as variables it's not really a problem. But i see where you're coming from.

Ultimately PHP's official site will always be the number 1 resource for anything PHP related in terms of accuracy.

[dcr33]

Dear Henda,
I got ur point. But that was not my question.
I asked "why we are using <?php echo $eid ?> inside value?
Can you answer me that properly?

[traq]

...I asked "why we are using <?php echo $eid ?> inside value?
Can you answer me that properly?

see my post above. please elaborate (what is it, exactly, that you don't understand?).

[henda]

Dear Henda,
I got ur point. But that was not my question.
I asked "why we are using <?php echo $eid ?> inside value?
Can you answer me that properly?

To set the default value of a field, to whatever value $eid is.
There are far too many reasons to list why one might set the value of an input to something dynamic using PHP. The main reason being it will nearly always make your life easier working with the script.

[dcr33]

What you all mean by dynamic?
I think it makes the form 'sticky' i.e. as soon you place the cursor in the textbox a pop-up window pops up saying ur employee id($eid). Isn't it?