-1

Hi guys I'm trying to show result on webpage by PHP options search my code is as below 

<?php
include 'db.php';
$tbl_name="socio";
if(isset($_POST['search'])){
  $input = $_GET['stYear'];
  $sql = "SELECT * FROM socio where year='$input'";
  $res = mysqli_query($con, $sql) or die($sql);
  while($row = mysqli_fetch_array($res))
  {
    echo $row['socio'];
  }
  mysqli_close($con);
}
?>

Error

Notice: Undefined index: stYear in C:\Apache24\htdocs on line 9

chris85
  • 23,846
  • 7
  • 34
  • 51
Krish
  • 19
  • 7
  • 1
    `$_GET` or `$_POST`? also you are open to SQL injections. Also if you only need the `socio` column you should only select that column. – chris85 Dec 26 '16 at 18:27
  • Possible duplicate of [PHP: "Notice: Undefined variable" and "Notice: Undefined index"](http://stackoverflow.com/questions/4261133/php-notice-undefined-variable-and-notice-undefined-index) – chris85 Dec 26 '16 at 18:32
  • Hi I'm not sure where to use $_GET or $_POST variable also socio is a table – Krish Dec 26 '16 at 18:36
  • Then `$row['socio']` is incorrect, the indices are columns, not the table. Your `$input = $_GET['stYear'];` should be `POST` I'd guess since you are entering the conditional. – chris85 Dec 26 '16 at 18:40
  • I just changed my code & it shows out only a blank page – Krish Dec 26 '16 at 18:52
  • Update the question. http://stackoverflow.com/posts/41334942/edit – chris85 Dec 26 '16 at 19:05

1 Answers1

0

You haven't validated your input. Hence the issue. Validate and sanitize!

<?php
include 'db.php';
if(isset($_POST['search'])) {
    $_POST['stYear'] = array_key_exists('stYear', $_POST) ? mysqli_real_escape_string($con, $_POST['stYear']) : null;
    if (empty($_POST['stYear'])) {
        exit('Invalid year given');
    }
    $sql = "SELECT * FROM socio WHERE year ='$input'";
    $res = mysqli_query($con, $sql) or die($sql);
    while ($row = mysqli_fetch_array($res)) {
        echo 'You selected '.$input;
    }
    mysqli_close($con);
}

Also, if you only intend to use the years you've provided in your form, you can whitelist them by adding in_array($_POST['stYear'], ['2014-15', '2015-16', '2016-17', '2017-18', '2018-19']). Example below:

<?php
include 'db.php';
if(isset($_POST['search'])) {
    $_POST['stYear'] = array_key_exists('stYear', $_POST) && in_array($_POST['stYear'], ['2014-15', '2015-16', '2016-17', '2017-18', '2018-19']) ? $_POST['stYear'] : null;
    if (empty($_POST['stYear'])) {
        exit('Invalid year given');
    }
    $sql = "SELECT * FROM socio WHERE year ='$input'";
    $res = mysqli_query($con, $sql) or die($sql);
    while ($row = mysqli_fetch_array($res)) {
        echo 'You selected '.$input;
    }
    mysqli_close($con);
}
Magictallguy
  • 622
  • 4
  • 16
  • Hi I added your validation but it says Invalid year given by the way I put my whole code here for your reference – Krish Dec 26 '16 at 20:01
  • include 'db.php'; $tbl_name="socio"; if(isset($_POST['search'])){ $input = $_POST['stYear']; if(isset($_POST['search'])) { $_POST['stYear'] = array_key_exists('stYear', $_POST) && ctype_digit($_POST['stYear']) ? $_POST['stYear'] : null; if(empty($_POST['stYear'])) { exit('Invalid year given'); } $sql = "SELECT * FROM socio WHERE year ='$input'"; $res = mysqli_query($con, $sql) or die($sql); while($row = mysqli_fetch_array($res)) { echo "You selected ".$input; } mysqli_close($con); } } – Krish Dec 26 '16 at 20:02
  • – Krish Dec 26 '16 at 20:03