0

I have a function that gets the value of a select menu and this work great. But i am trying to add another value to the function. So I thought I would use the title attribute for option (please see code below). The problem is the username parameter in my JavaScript function is undefined.

Does anybody have any ideas of what im doing wrong?

FORM

<form action="">
    <select id="acyear" name="acyear" onchange="showyearlogdays(this.value, this.title)">
    <option value="" label="">- Year -</option>
<?php

$is_business_result = mysql_query('SELECT DISTINCT(academic_year)FROM holiday_entitlement_business_manual WHERE employee = \'' . $username . '\''); 


    while($acyear_filter = mysql_fetch_array($is_business_result)) {
    echo '<option value="'.$acyear_filter['academic_year'].'" title="'.$username.'"';

    $datestr = $acyear_filter['academic_year'];
    $currentyear = substr($datestr, 0, 4);

    if(intval(substr($datestr,4,2)) < 8){$ayear = ($currentyear - 1).'/'.$currentyear;}
    else{$ayear = ($currentyear).'/'.($currentyear + 1);}       
        echo '>';

    echo $ayear;

    echo '</option>';
    }

?>    
    </select>
</form>

Javascript

   function showyearlogdays(str, username)
 {
 if (str=="")
   {
   document.getElementById("txtHint").innerHTML="";
   return;
   } 
 if (window.XMLHttpRequest)
   {// code for IE7+, Firefox, Chrome, Opera, Safari
   xmlhttp=new XMLHttpRequest();
   }
 else
   {// code for IE6, IE5
   xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
   }
 xmlhttp.onreadystatechange=function()
   {
   if (xmlhttp.readyState==4 && xmlhttp.status==200)
     {
     document.getElementById("txtHint").innerHTML=xmlhttp.responseText;
     }
   }
 xmlhttp.open("GET","days_yearlog.php?username="+username+"&q="+str,true);
 xmlhttp.send();
 }
marteljn
  • 6,446
  • 3
  • 30
  • 43
Codded
  • 1,256
  • 14
  • 42
  • 74
  • Using `mysql_query` and concatenating an unquoted string like that is a potential bug and security issue. Please use parameter binding instead. – Martijn Aug 16 '12 at 15:55
  • @Martijn I think that the OP will find it more helpful if you explain what you are saying. – starbeamrainbowlabs Aug 16 '12 at 16:15
  • 1
    @starbeamrainbowlabs: Read this page about [protecting MySQL from SQL injection attacks](http://simon.net.nz/articles/protecting-mysql-sql-injection-attacks-using-php/) for more information about SQL injection attacks, and how to protect your code from them. Or see [this question](http://stackoverflow.com/questions/1860130/how-to-bind-sql-variables-in-php). – Martijn Aug 17 '12 at 07:43
  • @Martijn Thanks! That will be useful, especially for those who do not know very much about mysql like me :) – starbeamrainbowlabs Aug 18 '12 at 08:25

1 Answers1

2

You need to get the title attribute of the selected option. Your code is pointing to the title attribute of the select tag. Make the change below:

showyearlogdays(this.value, this.options[this.selectedIndex].title)

You should also address the security concern mentioned in the comments. The way your query is setup would make for a really simple SQL Injection attack. If you don't want to rearchitect it the way the commenter suggested, I would at least escape $username so that SQL can't be injected.

marteljn
  • 6,446
  • 3
  • 30
  • 43