0

I've gotten into a bigger problem now. Whenever I want to select for intake and subjects, it will show undefined index: intake and Undefined index: programme respectively. It also did not display options for subjects when I select other choices for intake even though my database contains data for it. Is my code not able to retrieve it or is it something else?Result Image: Errors Need help thanks

 <?php
    include "..\subjects\connect3.php";
    //echo "Connection successs";

    $query = "SELECT * FROM programmes_list";
    $result = mysqli_query($link, $query);
    ?>

    <form name = "form1" action="" method="post">
    <table>
    <tr>
    <td>Select Pragramme</td>
    <td><select id="programmedd" onChange="change_programme()">
    <option>select</option>
    <?php
    while($row=mysqli_fetch_array($result)){
        ?>
    <option value="<?php echo $row["ID"]; ?>"><?php echo $row["programme_name"]; ?></option>
    <?php
        }
        ?>
        </select></td>
        </tr>

        <tr>
            <td>Select intake</td>
            <td>
            <div id="intake">
            <select>
            <option>Select</option>
            </select>
            </div>
            </td>
        </tr>

        <tr>
            <td>Select Subjects</td>
            <td>
            <div id="subject">
            <select>
            <option>Select</option>
            </select>
            </div>
            </td>
        </tr>


    </table>
    </form>




    <script type="text/javascript">
    function change_programme()
    {
        var xmlhttp=new XMLHttpRequest();
        xmlhttp.open("GET","ajax.php?programme="+document.getElementById("programmedd").value,false);
        xmlhttp.send(null);

        document.getElementById("intake").innerHTML=xmlhttp.responseText;

    }


        function change_intake()
    {
        var xmlhttp=new XMLHttpRequest();
        xmlhttp.open("GET","ajax.php?intake="+document.getElementById("intakedd").value,false);
        xmlhttp.send(null);

        document.getElementById("subject").innerHTML=xmlhttp.responseText;
    }
    </script>



    //ajax.php
    <?php
        $dbhost = 'localhost' ;
        $username = 'root' ;
        $password = '' ;
        $db = 'programmes' ;

        $link = mysqli_connect("$dbhost", "$username", "$password");

        mysqli_select_db($link, $db);

        $programme=$_GET["programme"];
        $intake=$_GET["intake"];

    if ($programme!="")
    {
        $res=mysqli_query($link, "select * from intakes where intake_no = $programme");
        echo "<select id='intakedd' onChange='change_intake()'>";

        while($value = mysqli_fetch_assoc($res))
        {

        echo "<option value=".$value['ID'].">";
        echo $value["intake_list"];
        echo "</option>";
        }   
        echo "</select>";
    }

    if ($intake!="")
    {
        $res=mysqli_query($link, "select * from subject_list where subject_no = $intake");
        echo "<select>";

        while($value = mysqli_fetch_assoc($res))
        {

        echo "<option value=".$value['ID'].">";
        echo $value["subjects"];
        echo "</option>";
        }   
        echo "</select>";
    }

        ?>
lol
  • 93
  • 5
  • `yourpage.php?intake=1%20or%201=1`, now I have all your subjects. – Xorifelse Mar 25 '17 at 22:39
  • `yourpage.php?programme=1%20or%201=1`, now i have all your intakes. – Xorifelse Mar 25 '17 at 22:40
  • You really should check that one out, just for kicks. Then you should realize that this is just the tip of the iceberg. You can even merge the values of a table that contains all your database structure. Select any table to choose from and display that instead, including your users table. Now you will see you got a bigger problem on your hands. – Xorifelse Mar 25 '17 at 22:47
  • Oh and btw, I am not going to read through all that code. Got bigger fish to fry. Read up on how to create a [mcve], yes. That requires you to actually filter out the issue at hand. – Xorifelse Mar 25 '17 at 22:50

1 Answers1

1

The reason you're getting an undefined index notice is because change_programme() only sends a ?programme= in the call to ajax.php, and change_intake() only sends a ?intake= in the call. However, in ajax.php, you're trying to get both from $_GET.

So, the call made from change_programme() will give you an undefined index notice for $_GET['intake'], because it really isn't supplied in the URL. The call made from change_intake() will give you an undefined index notice for $_GET['programme'], for the same reason.

You can fix this by checking if they're set:

$programme = isset($_GET["programme"]) ? $_GET["programme"] : "";
$intake = isset($_GET["intake"]) ? $_GET["intake"] : "";

This is shorthand for:

if (isset($_GET["programme"])) {
    $programme = $_GET["programme"];
} else {
    $programme = "";
}

if (isset($_GET["intake"])) {
    $intake = $_GET["intake"];
} else {
    $intake = "";
}

As a side note, never trust any input you get from a URL, especially if you're going to use it directly in a query. Please pass the $programme and $intake variables through mysqli_real_escape_string() first Please use a prepared statement with bound parameters instead, to reduce the chance of SQL injection attacks.

rickdenhaan
  • 10,857
  • 28
  • 37
  • `mysqli_real_escape_string()` is broken. Only resolution is prepared statements. – Xorifelse Mar 26 '17 at 00:30
  • Well, yeah. He'll probably want to move to PDO at some stage as well. But that's a discussion that's completely unrelated to the question of "why am I getting notices about an undefined index". – rickdenhaan Mar 26 '17 at 20:39
  • I made that comment for you, to teach you something. Don't recommend broken methods. Also, [tag:mysqli] is perfectly capable of using prepared statements as well. – Xorifelse Mar 26 '17 at 20:46
  • Point taken. Do you have a link to more information about how it's broken (other than the basics of making sure you set the character set properly)? The first couple of pages in Google don't mention any problems with it. – rickdenhaan Mar 26 '17 at 20:49
  • Sort off, [this](http://stackoverflow.com/a/5200152/4982088) explains the basic stuff, I just can't find the link that shows how to play with character encoding breaking the entire thing. However the [docs](http://php.net/manual/en/mysqli.real-escape-string.php) does warn about it. – Xorifelse Mar 26 '17 at 20:56
  • Thanks, I updated my answer with a suggestion to use a prepared statement. – rickdenhaan Mar 26 '17 at 21:04