2

I've browsed the website in search of an answer, but nothing that I tried seems to work.

Basically I got my index page with tiles showing a small preview of the items in my database. When I click on a tile, it opens the details page which, at this moment, shows every item from the database and not just the one I've just clicked on.

My question is: how do I adjust the query to only show the relevant explanation for the selected item?

This is my index page code

<?php

    $query="SELECT * FROM werkvorm";
    $result=mysqli_query($link, $query);

    while($row=mysqli_fetch_assoc($result))
    {
        echo "<h2>".$row['w_naam']."</h2>";
        echo "<p>".$row['w_omschrijving']."</p>";
        echo "<p><a href='details.php?id=".$row['w_id']."'>Meer weten?</a></p>";

    }

?>

This is the details page code

<?php

    $query="SELECT * FROM werkvorm";
    $result=mysqli_query($link, $query);

    while($row=mysqli_fetch_assoc($result))
    {
        echo "<h2>".$row['w_naam']."</h2>";
        echo "<p>".$row['w_omschrijving']."</p>";
        echo "<p>Uitvoeringstijd: ".$row['w_uitvoeringstijd']." minuten.</p>";
        $query="SELECT * FROM rol WHERE r_id=".$row['w_rolleerkracht'];
        $rolresult=mysqli_query($link, $query);
        $rolrow=mysqli_fetch_assoc($rolresult);
        echo "<p>Rol van de leerkracht: ".$rolrow['r_omschrijving']."</p>";
        echo "<p>Doelstellingen: ".$row['w_doelstellingen']."</p>";
        $query="SELECT * FROM onderwijsniveau WHERE o_id=".$row['w_onderwijsniveau'];
        $oresult=mysqli_query($link, $query);
        $orow=mysqli_fetch_assoc($oresult);
        echo "<p>Onderwijsniveau: ".$orow['o_omschrijving']."</p>";
        echo "<p>Klasgrootte: ".$row['w_klasgrootte']."</p>";
        $query="SELECT * FROM attribuut WHERE a_id=".$row['w_benodigdheden'];
        $aresult=mysqli_query($link, $query);
        $arow=mysqli_fetch_assoc($aresult);
        echo "<p>Benodigheden: ".$arow['a_omschrijving']."</p>";
        echo "<p>Voorbereidingstijd: ".$row['w_voorbereidingstijd']." minuten.</p>";
        echo "<p>Voorbereiding: ".$row['w_voorbereiding']."</p>";
        echo "<p>Visuele ondersteuning: ".$row['w_visueleuitleg']."</p>";                           
    }

?>
Mat
  • 202,337
  • 40
  • 393
  • 406
Michael
  • 93
  • 1
  • 8
  • 2
    **WARNING**: When using `mysqli` you should be using parameterized queries and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation to accomplish this because you will create severe [SQL injection bugs](http://bobby-tables.com/). **NEVER** put raw user data directly into a query. – tadman Feb 25 '15 at 16:15
  • Use `$_GET`, `$id = $_GET['id'];` `WHERE id=$id`, but i really suggest you use prepared statements like `mysqli_*` or `PDO`. – Alex Feb 25 '15 at 16:16
  • 1
    `SELECT * FROM werkvorm` (without any WHERE clause at all) might explain why it displays all the records – Mark Baker Feb 25 '15 at 16:16
  • 2
    I strongly suggest you learn some sql. Your code can be made much better if you leverage JOINS and WHERE clauses properly. – Dan Feb 25 '15 at 16:18
  • You need a fix in you while, what are you trying to do with those queries in there you already done in your first query. – Alex Feb 25 '15 at 16:18

1 Answers1

1

On the details page, use this query:

$query = 'SELECT * FROM `werkvorm` WHERE `w_id`='. intval($_GET['id']);

But be aware, this is VERY unsafe as it is now. Use pdo prepared statements or some library to prevent sql injection. There is an excellent SO answer about the matter. Please look into this, and make it a habit to use the mysqli prepared statements or pdo prepared statements for ANY sql query you'd like to execute.

Community
  • 1
  • 1
giorgio
  • 10,111
  • 2
  • 28
  • 41
  • 1
    I have edited your answer to add basic security to the query you posted. You can't comment on the insecurity of the OP's code if you yourself are providing an unsafe query. – Niet the Dark Absol Feb 25 '15 at 16:17
  • Thanks a lot for this answer. It does everything I wanted it to do. I'm well aware of my sql limits, and as this is part of my learning process I'm more than happy with the given answers. – Michael Feb 25 '15 at 16:26
  • @MichaelCox Just be careful to use prepared statements now as code you write today might very well show up doing more important things in the future. Every SQL injection hole is a potential nightmare. – tadman Feb 25 '15 at 16:27
  • @NiettheDarkAbsol I can! I just did it! :) Thanks for the edit, it's a valuable addition. I just wanted to show him how to get his records, this single thing will not make his app safe, so urging to look into the matter would be more wise. But of course, every little step helps. So yet again, thanks for the valuable edit. – giorgio Feb 25 '15 at 20:47