getting variable value from input field and use it in SELECT-WHERE statment PHP

Question

I am stuck in this issue since long and tried to search for solution but couldn't figure it out. I have input field, where user will type Occation Name that is already exist in Event table, and then I wrote php code so the entire row will be shown for that occationname. below is my code, and I always get the first row of the table (which means it is not doing the checking or WHERE condition). I tried to assign $X value like : $X = gh (gh is occation name that exist in the table) and it works perfectly. It seems that the php is executed on page load, means before user type the input value. (but that does not make any sense as why it shows the first row then?)

NOTE: I used if(issset($_POST['s']) to get if user click on button, but it is not working as the php code is executed before clicking

function GetI()
{
 var x = document.getElementById("tt").value;
    document.getElementById("tvalue").value = x ;
  
  
}

<input  type="text" id="tt" value="" class="contactField"/> </br>
       <input type="submit"  class="pageapp-login-button button button-small button-green button-fullscreen " style="font-size:13px" value="getValue" onclick="GetI()" />

<form  method="post" name="addingform1" id="addingform1"     action="testing.php" >
  <!-- Here in tvalue, I just show this input to make sure the variable is copying the same input that user typed -->
      <input  type="text" id="tvalue" value="" class="contactField"/>
  <input type="submit" name="s" class="pageapp-login-button button button-small button-green button-fullscreen " style="font-size:13px" value="Fordata"/>
 
<?php header("Content-type: text/html; charset=utf-8");
if(isset($_POST['s']))
  $X= $_POST['tvalue'];
include('database/connect-mysql.php');

mysql_query("set character_set_server='utf8'");
mysql_query("set names 'utf8'");


$sqls = "SELECT  Date, Address, City, TotalGuest FROM Events WHERE OccationName = '$X'";
echo " <table id='tid'style= 'border-collapse: collapse;
    border-spacing: 0;
    width: 100%;
    border: 1px solid #ddd;
    position:absolute;
           top:20%;
           right:20%; 
'> 
<th><div style='overflow: auto; height: 30px; width: 100px;'>Date</th>
<th><div style='overflow: auto; height: 30px; width: 100px;'>Address</th>
<th><div style='overflow: auto; height: 30px; width: 100px;'>City</th>
<th><div style='overflow: auto; height: 30px; width: 100px;'>TotalGuest</th>
</tr>
";
 


foreach ($dbcon->query($sqls) as $row){
echo "<tr >";
echo "<td>" . $row['Date'] . "</td>";
echo "<td>" . $row['Address'] . "</td>";
echo "<td>" . $row['City'] . "</td>";
echo "<td>" . $row['TotalGuest'] . "</td>";
echo "</tr>";
}


   
      
    ?>


    
</form>

You are vulnerable to [sql injection attacks](http://bobby-tables.com). — Marc B, Aug 26 '16 at 21:46
There is **no more support** for `mysql_*` functions, they are [**officially deprecated**](https://wiki.php.net/rfc/mysql_deprecation), **no longer maintained** and will be [**removed**](http://php.net/manual/en/function.mysql-connect.php#warning) in the future. You should update your code with [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) to ensure the functionality of your project in the future. — Sam Dufel, Aug 26 '16 at 21:46
And your generated HTML is wrong too. You have NO `` tag on the headers, so all of the `` get pushed to above/outside the table. — Marc B, Aug 26 '16 at 21:47
Please post the complete code HTML and all and I will post you the answer along with the reason(s) it's failing. — Brian, Aug 26 '16 at 21:55
Also, see http://stackoverflow.com/questions/13840429/what-is-the-difference-between-client-side-and-server-side-programming — Sam Dufel, Aug 26 '16 at 21:56
@Sam Dufel The JS is not needed and udderly pointless in OPs case. — Brian, Aug 26 '16 at 22:12
**WARNING**: If you're just learning PHP, please, do not use the [`mysql_query`](http://php.net/manual/en/function.mysql-query.php) interface. It’s so awful and dangerous that it was removed in PHP 7. A replacement like [PDO is not hard to learn](http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/) and a guide like [PHP The Right Way](http://www.phptherightway.com/) explains best practices. Your user parameters are **not** [properly escaped](http://bobby-tables.com/php) and there are [SQL injection bugs](http://bobby-tables.com/) that can be exploited. — tadman, Aug 26 '16 at 22:37
@Brian - that's correct; however, from his question, he seemed to be confused about why his PHP code was running before the form was submitted. — Sam Dufel, Aug 26 '16 at 23:59
That's because he didn't enclose his conditional post check. — Brian, Aug 27 '16 at 00:48

Forbs · Accepted Answer · 2016-08-26T22:25:18.330

-1

Wow this code has a ton of problems. I would look at the /var/logs/httpd just to see what you did wrong.

HOWEVER
1st issue is your <input> fields don't have name='tvalue' or something like that. You can't use $_POST['tvalue']

2nd issue (I believe) is the foreach for the query. I am not aware that you can flip through a database with a foreach usually you do it in a while loop.

edited Aug 26 '16 at 22:25

answered Aug 26 '16 at 21:55

Forbs

1,256
1
7
9

yes you are right! I did assign tvalue to id instead of name! it is working now! Thank you sooooooo much!! By the way it is working with foreach codition, I didnt change it to while loop – Tarneem Aug 27 '16 at 16:00
I learned something new! I have never tried it in a foreach loop before. – Forbs Aug 27 '16 at 19:31

score -1 · Answer 2 · answered Aug 26 '16 at 22:49

As Others have stated you should be using Mysqli. Regardless here's is the answer and I hope you learn from it.

<?php

$form = "
<form id=\"addingform1\" action=\"testing.php\" name=\"addingform1\" method=\"post\">
    <input id=\"tvalue\" type=\"text\" class=\"contactField\" value=\"".$xvar."\"/>
    <input type=\"submit\" name=\"s\" class=\"pageapp-login-button button button-small button-green button-fullscreen \" style=\"font-size:13px\" value=\"Fordata\"/>
</form>";

IF (isset($_POST['s'])) { // form has been submitted

    $err = ""; // form errors

    // Associate and Sanitize form variables
    $xvar = htmlspecialchars(strip_tags(trim($_POST['tvalue'])));

    // Validate form variables
    IF (empty($xvar)) { $err .="- tvalue is empty"; }

    IF (!empty($err)) {

        echo($err); // display errors

        // display the form
        echo($form);


    }ELSE{ // no errors

        // DB connection -- only include/establish when needed.
        include('database/connect-mysql.php');
        mysql_query("set character_set_server='utf8'");
        mysql_query("set names 'utf8'");

        $_xvar = mysql_real_escape_string($xvar);
        $result = "";

        // sql
        $sql = "SELECT Date, Address, City, TotalGuest FROM Events WHERE OccationName = '$_xvar'";
        $query = $dbcon->query($sql);
        IF ($query) {

            While ($row = mysql_fetch_array($query)) {

                // Loop through and build tr rows.
                $result .= "<tr><td>".$row['Date']."</td><td>".$row['Address']."</td><td>".$row['City']."</td><td>".$row['TotalGuest']."</td></tr>";

            }
            mysql_free_result($result);

        }ELSE{

            // No results from query
            $result .= "<tr><td colspan=\"4\">No results for ".$xvar."</td></tr>";

        }
        mysql_close($dbcon); // close your db connection


        // Display results
        echo("\n
<table id=\"tid\" > 
    <th><div style=\"overflow: auto; height: 30px; width: 100px;\">Date</th>
    <th><div style=\"overflow: auto; height: 30px; width: 100px;\">Address</th>
    <th><div style=\"overflow: auto; height: 30px; width: 100px;\">City</th>
    <th><div style=\"overflow: auto; height: 30px; width: 100px;\">TotalGuest</th>
</tr>
".$result."
</table>");

    }

}ELSE{
    // Form has not been submitted, thus show the form.
    echo($form);
}
?>

Thank you for writing this code, but it is not working, as I get the same result (displaying first row of the table, even if I type the wrong info. — Tarneem, Aug 27 '16 at 15:37
Have you tried this code on it's own? copy paste to new file, name testing.php ? It works in my testing. — Brian, Aug 27 '16 at 19:08

getting variable value from input field and use it in SELECT-WHERE statment PHP

2 Answers2