PHP dynamic page not working

Question

I have a page that takes an SKU from a database and creates a page. Example URL: http://example.com/index.php?sku=1234567

When I load a URL like this, it shows nothing - not even the table which I output with echo. Below is my code:

$sku = $_GET['sku'];
$result = mysqli_query($conn, "SELECT productname, price, producturl, productimg, productdesc, sku FROM table WHERE sku=" . $sku);
while ($row = mysqli_fetch_array($result)) {
echo '<h3>test</h3>';

            echo '<table width="100%" border="0" cellspacing="0" cellpadding="0">
  <tr>
    <td><h4>'.$row["sku"].'</h4></td>
    <td><h3>'.$row["productname"].'</h3></td>
    <td rowspan="2"><img src="'.$row["productimg"].'" width="100%" alt="productimg"/></td>
  </tr>
  <tr>
    <td colspan="2" rowspan="2"><p>'.$row["productdesc"].'</p></td>
  </tr>
  <tr>
    <td><a class="button" href="'.$row["producturl"].'">View Product</a>    <a class="alert button" href="">No Match</a>    <a class="alert button" href="">Match</a></td>
  </tr>
</table>';
}

I have connected to my database and have the <?php and ?> tags in there. I have noticed while playing around with it that if I remove this line:

while ($row = mysqli_fetch_array($result)) {

and also remove the closing }, it works but does not display any data - just the table. I am not sure what is going on here.

can you try this: $result = mysqli_query($conn, "SELECT productname, price, producturl, productimg, productdesc, sku FROM table WHERE sku='$sku'); — Maximus2012, Jul 17 '13 at 14:33
Your code is vulnerable to **SQL Injection**, please read this: http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php — Mansfield, Jul 17 '13 at 14:43
@Mansfield I am not worried about SQL injection because this is a simple page that will help me search a Catalog and no one else has access to it. — Ryan Thomas King, Jul 17 '13 at 14:49
@RyanThomasKing Don't get in the habit of writing crappy code. Using parameterized queries is just as easy/fast as what you're doing now. Not to mention that without at least escaping, you lose functionality - try searching for something with an apostrophe in it. — Mansfield, Jul 17 '13 at 14:52
@RyanThomasKing still. It is good practice to always do it. You'll develop muscle memory and be less prone to make the mistakes "in the real world". — Bart Friederichs, Jul 17 '13 at 14:53
Are you sure you used `$conn`? Most people might use `$con`... a typo maybe? — pattyd, Jul 17 '13 at 14:56
@pattyd yes i did use $conn and i have tried $con just in case it makes no difference — Ryan Thomas King, Jul 17 '13 at 15:00
There is no excuse for not using parameterized queries when you have `mysqli`. "I swear this is just test code" are the famous last words of someone who's had their internal tool promoted to production. — tadman, Jul 17 '13 at 15:19

Bart Friederichs · Answer 1 · 2013-07-17T14:52:17.910

2

Simple. your mysqli_query call returns no records. Either no records are found, or there is an error. Make your code a little more robust.

$sku = $_GET['sku'];
if ($result = mysqli_query($conn, ...)) {
    if (mysqli_num_rows($result) == 0) {
        echo "no skus found";
    } else {
        while ($row = mysqli_fetch_array($result)) {
            echo '<h3>test</h3>';
            ...
        }
    }
} else {
    echo "something went wrong: ".mysqli_error();
}

(As a side note, please use parametrised queries, you are opening yourself up to SQL injection now. MySQLi is no magic bullet against this, you still have to validate / sanitize input.)

edited Jul 17 '13 at 14:52

answered Jul 17 '13 at 14:34

Bart Friederichs

33,050
15
95
195

you mixed Object oriented style and Procedural style – steven Jul 17 '13 at 14:40
@steven Thanks for noticing; fixed that. – Bart Friederichs Jul 17 '13 at 14:42
cannot find anything. I am going to back through the tutorial i have as this is working on another page so just going to check again – Ryan Thomas King Jul 17 '13 at 14:57

score 0 · Answer 2 · answered Jul 17 '13 at 14:38

0

Display mysqli error on fault:

if (!mysqli_query($link, $sql)) {
    printf("Errormessage: %s\n", mysqli_error($link));
}

answered Jul 17 '13 at 14:38

steven

4,868
2
28
58

That's a good idea, however it does not solve the problem. It will just give more info on the problem. – pattyd Jul 17 '13 at 15:03

score 0 · Answer 3 · answered Jul 17 '13 at 15:32

Put $sku inside quotes.

    <?php
    $sku = $_GET['sku'];
    $result = mysqli_query($conn, "SELECT productname, price, producturl, productimg, productdesc, sku FROM table WHERE sku = $sku");
    while ($row = mysqli_fetch_array($result)) {
    echo '<h3>test</h3>
<table width="100%" border="0" cellspacing="0" cellpadding="0">
      <tr>
        <td><h4>'.$row["sku"].'</h4></td>
        <td><h3>'.$row["productname"].'</h3></td>
        <td rowspan="2"><img src="'.$row["productimg"].'" width="100%" alt="productimg"/></td>
      </tr>
      <tr>
        <td colspan="2" rowspan="2"><p>'.$row["productdesc"].'</p></td>
      </tr>
      <tr>
        <td><a class="button" href="'.$row["producturl"].'">View Product</a>    <a class="alert button" href="">No Match</a>    <a class="alert button" href="">Match</a></td>
      </tr>
    </table>';
    }
    ?>

score 0 · Answer 4 · answered Jul 18 '13 at 07:33

I have managed to solve the issues that i have been having i had to remove the i from mysqli, but i have used the same piece of code on another site so it may be something to do with the server or database maybe. here is the code though'

<?php
     $sku = $_GET['sku'];
       $objConnect = mysql_connect("host address","username","password") or die(mysql_error() . 'this is true death...');
    $objDB = mysql_select_db("database");
    $result = 'SELECT sku, productname, price, producturl, productimg, productdesc FROM table1 WHERE sku="' . $sku . '"';
$result = mysql_query($result);
while ($row = mysql_fetch_array($result)) {
    echo '<table width="100%" border="0" cellspacing="0" cellpadding="0">
  <tr>
    <td><h4>'.$row["sku"].'</h4></td>
    <td><h3>'.$row["productname"].'</h3></td>
    <td rowspan="2" width="30%"><img src="'.$row["productimg"].'" width="100%" alt="productimg"/></td>
  </tr>
  <tr>
    <td colspan="2" rowspan="2"><p>'.$row["productdesc"].'</p></td>
  </tr>
  <tr>
    <td><a class="button" href="'.$row["producturl"].'">View Product</a>    <a class="alert button" href="">No Match</a>    <a class="alert button" href="">Match</a></td>
  </tr>
</table>';
}
?>

PHP dynamic page not working

4 Answers4