Member Avatar for blueguy777

my actual code is:

$agent_id=mysql_real_escape_string($_GET['memberid']);

$result = mysql_query("SELECT id,ac_no,agent_name FROM ankali_slabpay WHERE agent_id=$agent_id ORDER BY id DESC LIMIT 1");
$row = mysql_fetch_array($result);
$ac_number=$row['ac_no'];
$agent_name=$row['agent_name'];
?>
<?php 
$b = array(000350,000400,000450); //pre-defined installment amount values
$replacement = "000000";
$cust_mast = '$C21';
$bank_name = 'KISAN SWARAJ';
$dfile = "READ ME CUSTOMERS.txt";
$fo = fopen($dfile, 'w') or die("can't open file");
$stringData1 =str_pad($cust_mast, 0, STR_PAD_LEFT).",".str_pad($bank_name, 20, ' ',STR_PAD_RIGHT).",".str_pad($agent_id, 2, STR_PAD_LEFT).",".str_pad($agent_name, 24, ' ',STR_PAD_RIGHT).","."123456".",".str_pad('123456', 69, ' ', STR_PAD_RIGHT)."@"."\r\n";
fwrite($fo, $stringData1);

$select = mysql_query("SELECT ac_no, cust_name, GROUP_CONCAT(install_amt SEPARATOR ',') as installamt FROM ankali_slabpay  WHERE agent_id=$agent_id GROUP BY ac_no");
$e=array();
$inst_result=array();
while($row1 = mysql_fetch_assoc($select)){
$e[] = $row1['installamt'];
$a=implode(",",$e);

$i=0;
foreach($b as $k=>$v)
{
    if($v==$a[$i])
    {
        $b[$k]='000000'; //replace with 000000 if both values are same i.e. $b == $a
    }
    $i++;
}
$arr2=implode(",",$b);

$stringData2=str_pad($row1['ac_no'], 4, '0', STR_PAD_LEFT).",".str_pad($row1['cust_name'],20, ' ', STR_PAD_RIGHT). ",".$arr2."@"."\r\n";
fwrite($fo, $stringData2);
}
$stringData3="";
fwrite($fo, $stringData3);
fclose($fo);
header("Content-Disposition: attachment; filename=$dfile");
header("Content-Type: application/octet-stream; "); 
readfile($dfile);

the output should be:

$C21,KISAN SWARAJ        ,10,ROBERT                  ,123456,123456                      @
0001,MICHAEL             ,000000,000400,000450@
0005,KIM                 ,000350,000400,000450@
Edited by blueguy777 because: mistaken in title
  • 2 Contributors
  • 2 Replies
  • 126 Views
  • 55 Minutes Discussion Span
  • Latest Post Latest Post by blueguy777

Recommended Answers

All 2 Replies

Member Avatar for tpunt

Could you also post what the output actually is at the moment? That should help myself and others to find out where you're going wrong easier.

What I will comment on within your code though is that your use of mysql_real_escape_string() (MRES) is nugatory. The MRES function was designed to escape quotes (both single and double) and backslashes. Because you aren't encasing the $agent_id variable within either of these quotes within your query, SQL code can be directly entered into the query and it will not be treated as a harmless string - it will be executed against your database. To avoid this problem, you can validate the $agent_id variable prior to using it within your query, perhaps through type-casting it to an integer:

<?php
$clean['id'] = (int) $_GET['memberid'];

$result = mysql_query("SELECT id,ac_no,agent_name FROM ankali_slabpay WHERE agent_id=$agent_id ORDER BY id DESC LIMIT 1");

You should also eschew using the original mysql extension since it has been deprecated as of PHP 5.5.0.

Member Avatar for blueguy777

the output is:

$C21,KISAN SWARAJ        ,10,ROBERT               ,123456,123456       @
0001,MICHAEL             ,232,256,296@
0005,KIM                 ,232,256,296@
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.