0

so, i am trying to display the value of movie_id using movie name by getting the name from textblock(html). But the page displayed is blank and if i add a name manually in the query e.g name="skyfall" instead of the variable the result is displayed. 

include './connection.php';

$movie_tf=$_POST['movie_tf'];

$getMovieIdQuery="SELECT movie_id FROM MOVIE WHERE name='$movie_tf'";
$query=  mysql_query($getMovieIdQuery);

if (!$query){
    echo 'error' .  mysql_error($dbconn);
}

    $getMovieIdQueryFetchRow=  mysql_fetch_row($query);
    echo $getMovieIdQueryFetchRow[0];


mysql_close($dbconn);

html form:

<form action="operations.php" method="GET">
            Movie:<input type="text" name="movie_tf"/> </br>
            <input type="submit" value="submit"/>
        </form>
Nelson John
  • 144
  • 2
  • 16
  • well *something* obviously failed, some *unknown* force – Funk Forty Niner Mar 08 '16 at 21:36
  • You should use `prepared statements` (http://php.net/manual/en/pdo.prepared-statements.php) to prevent SQL injection. Anyway. What is displayed in your browser console (or log file) ? – Seblor Mar 08 '16 at 21:37
  • just a sql depricated warning is displayed. But it does display the wanted result when i add a name of the movie manually instead of the variable. is my query syntax correct with the variable? @Seblor – Nelson John Mar 08 '16 at 21:40
  • 3
    If you're getting the deprecated notice you should learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Mar 08 '16 at 21:42
  • Surely you have verified `$_POST['movie_tf']` content, right? The syntax is correct. – fusion3k Mar 08 '16 at 21:43
  • 1
    ^ the *unknown force* – Funk Forty Niner Mar 08 '16 at 21:46
  • *Tap, tap, tap....* - so, you going to show us the HTML form that should have gone with this? – Funk Forty Niner Mar 08 '16 at 21:48
  • added the form @Fred-ii- – Nelson John Mar 08 '16 at 21:53
  • @NelsonJohn added my answer ;-) below – Funk Forty Niner Mar 08 '16 at 21:54

1 Answers1

1

You're using method="GET" for your form and then a POST array $_POST['movie_tf']

Either use method="post"

or $_GET['movie_tf'] the choice is yours.

  • Both the method and array type must match.

and strangely enough, you would not have gotten errors for it neither.

  • I learned that lesson the hard way once.

Your present code is open to SQL injection. Use mysqli_* with prepared statements, or PDO with prepared statements.

Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141