0

I have a drop down menu that is populated by pulling the IDs and company_names from a mysqli table with fields that look something like this

      id - company_name - first_name - last_name - phone - email ...
row1   1       ----          ----        ----       ---     ---
row2   2       ----          ----        ----       ---     ---

I then use the following code to pull the id and company_name to populate the dropdown menu

 $mysqli = new mysqli('localhost', 'root', '', 'clients');
    $sql = "SELECT id,company_name FROM clients";
    $get = $mysqli->query($sql)

    ?>

<h1>Invoices</h1>

<form method="post" action="processinvoices.php">
    <select name="id">
        <option value="0">Please Select</option>
        <?php
        while($row = mysqli_fetch_assoc($get))
        {
            ?>
            <option value = "<?php
            $id = $row['id'];
            $company_name = $row['company_name'];
            echo($id . $company_name)?>" >
                <?php echo($id ." ".  $company_name) ?>
            </option>
            <?php
        }

Which produces something that looks like this

Please Select
id1 companyname1
id2 companyname2
id3 companyname3

When I make a selection, say ID1 Company, I want the following code to select the appropriate row and echo the appropriate first_name associated with the ID selected. I think my problem is that when I try to $_POST['id '] to the variable $ids the id number isn't being collected making the code from echo $ids not work. 

$ids = $_POST['id'];
echo $ids;
if( $mysqli->query( "SELECT * FROM clients WHERE ID = $ids" ) ) {
    if( $result = $mysqli->use_result() ) {
        while( $row = $result->fetch_assoc() ) {
            echo $row['company_address'];
        }
        $result->close();
    }
}

The closest answer I've seen to this issue is using jquery/ajax here but I'm looking for a purely php solution to this issue. Thanks in advance for any help provided and apologies if I haven't expressed my requirements perfectly.

Community
  • 1
  • 1
Massive
  • 5
  • 3
  • You should also start checking your error log, and you might want to turn `display_errors` on in your PHP environment while developing. Then you should probably see some error messages. – M. Eriksson Jan 29 '17 at 01:31

1 Answers1

0

You are concatenating the ID and the company name as the value for your drop down (which is the one you send). This will make your actual query to look like this: 

SELECT ..... WHERE ID = id1companyname1

...which is wrong for multiple reasons.

You should only add the ID as the value:

<option value="<?= $row['id'] ?>">
    <?= $row['id'] . ' ' . $row['company_name']?>
</option>

You should also secure your PHP and SQL query a bit:

// Make sure the index exist with isset(), and cast it 
// as an integer (for security, since ID's are only integers)

$ids = isset($_POST['id']) ? (int) $_POST['id'] : 0;
echo $ids;

// Also, change ID in the query to id (small letters).
if ($result = $mysqli->query( "SELECT * FROM clients WHERE id = $ids" )) {
    while ($row = $result->fetch_assoc()) {
        echo $row['company_name'];
    }
}

Note: In this case, casting the value as integer works and is enough to protect you from SQL Injections, but in general, you should use Prepared Statements instead of concatenating your queries. Specially when dealing with user inputs, which can never be trusted.

M. Eriksson
  • 13,450
  • 4
  • 29
  • 40
  • Thanks Magnus, now the line: echo $ids is printing out the correct id but the following code still doesn't retrieve the associated company_name. Any ideas? if( $mysqli->query( "SELECT * FROM clients WHERE ID = $ids" ) ) { if( $result = $mysqli->use_result() ) { while( $row = $result->fetch_assoc() ) { echo $row['company_name'] . $row['first_name']; – Massive Jan 30 '17 at 20:04
  • @Massive - Check your error log, and turn `display_errors` on in PHP and see if you get any error message. Also, echo the SQL statement and see if it looks correct – M. Eriksson Jan 30 '17 at 20:14
  • @Massive - Actually.. change `WHERE ID =` to `WHERE id =` (the wrong case matters), – M. Eriksson Jan 30 '17 at 20:16
  • Changing ID to id didn't help. Also I'm not getting any errors. I feel like the while loop might be throwing me off. – Massive Jan 30 '17 at 20:34
  • @Massive - Have you echoed the sql-statement? Do it and try it in some mysql client – M. Eriksson Jan 30 '17 at 20:56
  • Is this what you mean? if( $mysqli->query( "SELECT * FROM clients WHERE id = '$ids'" ) ) { $result = $mysqli->use_result(); echo $result; – Massive Jan 30 '17 at 21:12
  • @Massive No. `echo "SELECT * FROM clients WHERE id = '$ids'";` before you make the query. Check that it looks OK with the id and all – M. Eriksson Jan 30 '17 at 21:39
  • It's echoing: SELECT * FROM clients WHERE id = '8', which is what I'd expect as I'm choosing item at ID 8 – Massive Jan 30 '17 at 21:45
  • Have updated the answer. Try that version (changed the SQL part a bit) – M. Eriksson Jan 30 '17 at 21:49
  • Amazing thanks that worked exactly how I wanted it to. I tried to upvote you but my rank is too low. Thank you very much Magnus – Massive Jan 30 '17 at 22:02