OnClick Event and Check MySQL Results

Question

My first question, if a query returns a empty set, what's the best way to do an action based on that? Such as just print a message saying so? The way I have it set up right now is if an empty set is returned, nothing is displayed. I tried something like this, if (mysql_num_rows($sql)==0) { echo "None"; }, but that didn't seem to work. I tried placing that after the foreach and before.

( $own = $_POST['flight'];, flight comes from a drop-down list)

<p align="center">List of passengers on that flight: <br> 
        <?php    
            if ($_SERVER['REQUEST_METHOD'] == POST) {
                $own = $_POST['flight'];
                $sql = "SELECT firstName, lastName FROM passenger, flight, manifest WHERE flight.flightnum = 
                manifest.flightnum AND manifest.passnum = passenger.passnum AND flight.flightnum = '".$own."'"; 

                foreach($connection->query($sql) as $row ) { 
                    echo $row['firstName']. " ". $row['lastName'];
                    echo '<br>';
                }
            }
?>
</p>

Next, I was confused on how to make an action triggered button. I want to display this (down below) after a button is clicked. I tried making a button like this (which worked fine), <button onclick="myFunction()">Click me</button> <p id="demo"></p>, but I cant figure out on how to write the script for it.

<p align="center">List of all passengers: <br> 
    <?php    
        $sqlRequest = "SELECT firstName, lastName FROM passenger ORDER BY lastName"; 
        $result = $connection->query($sqlRequest); //save result

        if($result->num_rows > 0) { 
            while($row = $result->fetch_assoc()) {
                echo $row["firstName"]. " ". $row["lastName"]. "<br>";
            }
        }
    ?>
</p>

Sorry for sticking two questions into one. Seemed like a good idea instead of making two separate threads.

Your code is vulnerable to SQL injection attacks. You should use [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) prepared statements with bound parameters as described in [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). — Alex Howansky, Apr 14 '17 at 02:04
I know, but there's no place where I ask user to input any text. So I didn't think I would need it for this. I wanted to get it working first, then go back and make it the way it should be. — , Apr 14 '17 at 02:08
_"but there's no place where I ask user to input any text."_ `$own = $_POST['flight'];` — Alex Howansky, Apr 14 '17 at 02:09
That is user-provided. Don't ever trust input from the user. I can create a POST that sends a string in that variable. — Alex Howansky, Apr 14 '17 at 02:13
User-provided data is _not_ just text fields. It's **everything** in `$_GET` and `$_POST` and a bunch of things in `$_SERVER`. — Alex Howansky, Apr 14 '17 at 02:15

score 0 · Accepted Answer · answered Apr 14 '17 at 02:15

answering you second question:

I split your task to 2 part. Server-side (getlist.php) and client-side (getlist.html). And we will use jquery at client-side script.

getlist.html:

<script src="https://code.jquery.com/jquery-3.2.1.min.js"></script> 
<p align="center">List of all passengers: <br> 
<span id="span-list"></span>
</p>
<button id="btn-update">Update List</button>
<script>
  $("#btn-update").click(function(){
    $.ajax({
     type: "GET",
     url: "getlist.php",
     success: function(msg){
       $("#span-list").html(msg);
     }
    })
  })
</script>

getlist.php:

<?php    
    $sqlRequest = "SELECT firstName, lastName FROM passenger ORDER BY lastName"; 
    $result = $connection->query($sqlRequest); //save result

    if($result->num_rows > 0) { 
        while($row = $result->fetch_assoc()) {
            echo $row["firstName"]. " ". $row["lastName"]. "<br>";
        }
    }
?>

OnClick Event and Check MySQL Results

1 Answers1