0

Below is my code for two pages. Dashboard.php has an html table filled with 7 columns populated by my database. All are populated without any problem. In an 8th column, I have a hyperlink that says 'View'. When clicked, I want that hyper link to use the value in the serialNumber column and then when it opens up the Display.php page, I need my html tables to be filled by database values based on that serial number.

My query in display.php is meant to get the stageID from my staging table that corresponds with the serialNumber in the row where the hyperlink was clicked.

i.e., if the user hits 'View' on the row with 988809 as the serialNumber, the query should match that serial number in my staging table and select everything with that stageID and then fill my tables.

The debug statements for $_GET do echo the correct serialNumber from the line/link chosen, but on display.PHP, I only get my echo statements, no tables or data. How can I change my hyperlink or query to fix this?

Dashboard.PHP

<?php

include 'connectionDB.php';

$query1 = "SELECT * FROM staging;";
$result1 = mysqli_query($connect,$query1);
?>
<div class="dashboardTable">
<table style="border: 1px solid black;">
<tr>
    <th>Work Order Packet</th>
    <th>Work Order Number</th>
    <th>Date</th>
    <th>Utility</th>
    <th>Service Name</th>
    <th>Address</th>
    <th>Serial No.</th>
</tr>

<?php
 while($row = mysqli_fetch_array($result1)){
?>
<tr>
    <td><? echo $row['workOrderPacket'];?>&nbsp;</td>
    <td><? echo $row['workOrderNum'];?>&nbsp;</td>
    <td><? echo $row['date'];?>&nbsp;</td>
    <td><? echo $row['utility'];?>&nbsp;</td>
    <td><? echo $row['serviceName'];?>&nbsp;</td>
    <td><? echo $row['address'];?>&nbsp;</td>
    <td><? echo $row['serialNumber'];?>&nbsp;</td>
    <td><a href="Display.php?serialNumber=<? echo $row['serialNumber'];?    >">view</a></td>
</tr>
<?}?>
</table>
</div>

Display.php

<?php

if(isset($_GET['serialNumber'])) 
{

    $query1 = "SELECT * FROM staging WHERE stageID = ".$_GET['serialNumber'].";";
    $result1 = mysqli_query($connect,$query1);
    while($row = mysqli_fetch_array($result1)){
?>
    <div class="container">
<!--Title Line-->
<DIV class="title">
<h3>REPORT TITLE</h3>
</DIV>

<div class="TitleContainer" style="width: 100%;">
<!--Column 1 for header info-->
<DIV class="headerCol1">    
<table style=" float: left; border:none;
border-collapse:collapse;">
<tr style="border: none;">
<th style="border: none; text-align: left;">Account:</th>
<th style="border: none; text-align: right;"><? echo $row['accountNum'];?>&nbsp;</th>
</tr>
<tr style="border: none;">
<td style="border: none; text-align: left;">Date/Time:</td>
<td style="border: none; text-align: right;"><? echo $row['date'];?>,&nbsp;&nbsp;<?echo $row['timeTested'];?>&nbsp;</td>
</tr>
H.Norman
  • 113
  • 2
  • 12
  • Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Apr 12 '17 at 20:06
  • Start by removing the `print_r()` then ___Show us the code in the while loop___ – RiggsFolly Apr 12 '17 at 20:07
  • Ok I removed the print line and added a small snippet in the while loop, but there are about 1200 lines in that while loop that span 15 or 16 html tables that get filled from the database. But the snippet I added gives an idea – H.Norman Apr 12 '17 at 20:12
  • Are you including connectionDB.php in Display.php? – tkm256 Apr 12 '17 at 21:13
  • Yes, it's included in all my files I just didn't include it here since it was in the header – H.Norman Apr 12 '17 at 21:13
  • @RiggsFolly does the info in the while loop show my goal any better? I've used this exact same code with a drop down (containing serial numbers) and $_POST on display.php and it fills all of my tables perfectly. The only issue is using a hyperlink on a table and passing it with $_GET – H.Norman Apr 12 '17 at 22:05

1 Answers1

0

1), use the htmlspecialcharts() method to avoid any problems of infiltration of your database -> http://php.net/manual/en/function.htmlspecialchars.php

2), If I understands well it is the condition with the ISSET which does not work well? If that's it it is strange... Try maybe with

if(!empty($_GET['serialNumber'])) 
{
...
Pol
  • 1,132
  • 1
  • 11
  • 35