-1

When trying to fetch data from a Mysql database using PHP, the following code gets a message:

Getting error:

undefined variable result.

<?php 
require_once 'login.php';
$conn = new mysqli($hn, $un, $pw, $db);
if ($conn->connect_error) die($conn->connect_error);
echo <<<_END
 <form action="fetchdata.php" method="post"><pre>
   Enter Country <input type="text" name="field">  
                <input type="submit" value="Display Records">
 </pre></form>
_END;

if (isset($_POST['field'])) {
  $field=$_post($conn,'field');
  $query="SELECT * FROM customers WHERE Country = '$field'";
  $result=$conn->query($query);
  if (!$result) die($conn->error);
  }

$rows = $result->num_rows;
Alive to die - Anant
  • 70,531
  • 10
  • 51
  • 98
Campbell Menzies
  • 5
  • 2
  • 2
    what error you got? – Karthi Oct 18 '16 at 04:33
  • **WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](http://bobby-tables.com/). **NEVER** put `$_POST` or `$_GET` data directly into a query, it can be very harmful if someone seeks to exploit your mistake. – tadman Oct 18 '16 at 05:08
  • Campbell Menzies you have answers below. check them and mark+up-vote one as accepted answer. You can up-vote others too if they are useful.Thanks – Alive to die - Anant Oct 19 '16 at 04:54
  • Thanks. I am awre of SQL injection, but this is a closed environment - localhost and server on USB - so not worrying about that yet. – Campbell Menzies Oct 19 '16 at 10:45

3 Answers3

2

Instead of

  $field=$_post($conn,'field');

Maybe you mean

  $field=$_POST['field'];

Additionally you use $result at the end, even when it is not defined:

$rows = $result->num_rows;

Also you never output any data and print it. You just store it in variables.

In any case: What you are doing there by writing form data directly into a query string, is dangerous. I recommend you to use PDO together with Named Parameters. Also maybe read up about SQL injections.

Here is another stackoverflow question with a nice answer, regarding SQL injections. It includes both PDO and mysqli: https://stackoverflow.com/a/60496/6637731

Community
  • 1
  • 1
Cubicle257
  • 335
  • 3
  • 14
  • `$rows = $result->num_rows;` will never be reached if `$result` is not defined: `if (!$result) die($conn->error);` – Reto Oct 18 '16 at 05:02
  • The row will be reached when !isset($_POST['field']), the if you are writing about is inside anotehr if. – Cubicle257 Oct 18 '16 at 05:17
0

Without telling how request to this code is done, one guess is that isset($_POST['field']) returns false, hence variable $result is never defined but you use it anyway below in $result->num_rows.

LeleDumbo
  • 9,192
  • 4
  • 24
  • 38
0

You made a mistake in the below line. It should be

$field=$_POST['field'];

not

$field=$_post($conn,'field');

Naga
  • 2,190
  • 3
  • 16
  • 21