0

I am trying to calculate the daily sales figures for a shop and display them in a table on the web interface. I have been trying to correct the while loop so that it displays the information from my database onto the web interface, but thus far I have had no success. I am not sure if I am supposed to pass the variable from the controller class to the view. If someone could point out why this isn't working it would be much appreciated.

Error Message

Notice: Undefined variable: sales in E:\xampp\htdocs\CIT2318\Relational database and web integration\views\SalesFiguresView.php on line 27

Fatal error: Call to a member function fetch_assoc() on null in E:\xampp\htdocs\CIT2318\Relational database and web integration\views\SalesFiguresView.php on line 27

The model class

<?php
 require_once('DAO.php');

class SalesFiguresModel extends DAO{

protected $target = "frs_Payment";

public function __construct(){
  parent::__construct();
}

public function getShop($payid, $amount, $paydatetime, $employeeid, $customerid, $pstatusid, $ptid){
  $sql = "SELECT * FROM frs_Payment (payid, amount, paydatetime, empnin, custid, pstatusid, ptid) VALUES ($payid, $amount, '$paydatetime', '$employeeid', $customerid, $pstatusid, $ptid)";
  return parent::query($sql);
}
}
?>

The controller class

<?php

session_start();
require_once("../models/SalesFiguresModel.php");
require_once("../views/SalesFiguresView.php");


if (isset($_POST["Submit"])) {
$payid=($_POST["payid"]);
$amount=($_POST["amount"]);
$paydatetime=($_POST["paydatetime"]);
$empnin=($_POST["empnin"]);
$custid=($_POST["custid"]);
$pstatusid=($_POST["pstatusid"]);
$ptid=($_POST["ptid"]);

if (empty($payid)) {
    //header('Location: ../views/LoanView.php?error=1');
    $error = "Payment ID is required";
} else {

 $sales = new SalesFiguresModel;
 $result = $sales->getShop($payid, $amount, $paydatetime, $empnin, $custid, $pstatusid, $ptid);
$row = $result->fetch_assoc();
$error = "";
$_SESSION['payid'] = $row["payid"];
$_SESSION['amount'] = $row["amount"];
$_SESSION['paydate'] = $row["paydatetime"];
$_SESSION['employeeid'] = $row["empnin"];
$_SESSION['customerid'] = $row["custid"];
$_SESSION['pstatus'] = $row["pstatusid"];
$_SESSION['ptype'] = $row["ptid"];

header('Location: ../views/MenuView.php');
}
echo "<hr>" . $error;
}

?>

The view

    <table border="1">
        <tr>
            <tr>
            <th>Payment ID</th>
            <th>Amount</th>
            <th>Date</th>
            <th>Employee ID</th>
            <th>Customer ID</th>
            <th>Payment Status</th>
            <th>Payment Type</th>


                 <?php

                  while($row = $sales->fetch_assoc()) {
                    echo
                    "<tr>
                      <td>{$row['payid']}</td>
                      <td>{$row['amount']}</td>
                      <td>{$row['paydatetime']}</td>
                      <td>{$row['empnin']}</td>
                      <td>{$row['custid']}</td>
                      <td>{$row['pstatusid']}</td>
                      <td>{$row['ptid']}</td>
                    </tr>\n";
                  }

                ?>

    </table>  
</form>
</body>
</html>
Matthew
  • 23
  • 8
  • Your code is vulnerable to SQL injection attacks. You should use [mysqli](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) or [PDO](http://php.net/manual/en/pdo.prepared-statements.php) prepared statements as described in [this post](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Alex Howansky Apr 13 '17 at 19:49
  • I am using mysqli_real_escape_string in my DAO. My model class extends the DAO. Is this not the correct procedure to prevent SQL injections ? – Matthew Apr 13 '17 at 19:55
  • It is not. You should be using bound parameters as described in the linked post. – Alex Howansky Apr 13 '17 at 19:57
  • I will make the changes now then. Do you know how to resolve the issue that I am facing with regards to my question? – Matthew Apr 13 '17 at 20:14

0 Answers0