Passing a mysql row inside of a PHP/HTML Form

Question

Im becomming quite a regular on here...

I am trying to dynamicly print out a table in PHP depending on what results are found with a MYSQL Statement.

See the below code, I am getting the below error

[Fri Jun 09 18:51:32.478737 2017] [fcgid:warn] [pid 63368] [client 5.69.190.95:64631] mod_fcgid: stderr: PHP Parse error: syntax error, unexpected 'showhistory' (T_STRING), expecting ',' or ';' in /home/tools/public_html/searchhistory.php on line 84, referer: http://tools.cidetech.co.uk/history.php

It seems to have a problem with just the "form" building inside of the loop I have no problems up until this line -

 echo " <td><form method="POST" action="showhistory.php">
                                                       <input type="hidden" name="id_director" value=".$row["id"]"
                                                       </form></td> ";

I cant seem to figure out where I am going wrong, this would work fine in just pure HTML, however it needs to be inside of the mysql/php part as i need to pass the row id through inside of the button.

To be specific it is this part of the code I am struggling with

 for ($i = 0; $i < count($idArray); $i++)
        {
                        $sql="SELECT * FROM history WHERE id LIKE '%{$idArray[$i]}%'";
                        $result=$con->query($sql);

                                        while($row=$result->fetch_assoc())
                                        {
                                                 echo "<tr>";
                                                 echo "<td><pre>".$row["id"]."</pre></td>";
                                                 echo "<td><pre>".$row["date"]."</pre></td>";
                                                 echo "<td><pre>".$row["domain"]."</pre></td>";
                                                 echo " <td><form method="POST" action="showhistory.php">
                                                       <input type="hidden" name="id_director" value=".$row["id"]"
                                                       </form></td> ";         
                                        }
                }
                echo "</table>";
                mysqli_close($conn);

   ?>

The full code can be seen here

   <DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css">
  <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>
  <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
  <link rel="stylesheet" type="text/css" href="stylesheet.css">
  <meta http-equiv="content-type" content="text/html; charset=windows-1250">
  <meta name="generator" content="PSPad editor, www.pspad.com">
  <title>CWCS Domain Checker Tool</title>
</head>
<body>
  <div class="header">
    <a href="index.php">
  <img src="cwcs-logo.png">
  </a>
</div>
  <hr/>
<div class="searchform">
<form action="searchhistory.php" method="post">
<label for="domain"> <input class="submit" type="text" name="domain" /> </label>
<input class="submitbutton" type="submit" name="search" value="Search for Domain" />
  </form>
</div>
<?php
#define connection info/variables needed
$servername = "localhost";
$username = "";
$password = "";
$dbname = "domainhistory";
$domain = $_POST['domain'];
$idArray = array();
#creates mysql connection
$con=new mysqli($servername,$username,$password,$dbname);
  if($con->connect_error)
  {
        echo 'Connection Faild: '.$con->connect_error;
  }
  else
  {
        $sql="SELECT * FROM history WHERE domain LIKE '%{$domain}%'";
        $result=$con->query($sql);
        #Pushes the ID of the mysql row into an array
        while($row=$result->fetch_assoc())
         {
           array_push($idArray,$row["id"]);
         }
    }
  mysqli_close($conn);
?>
<!---prints out the ID's stored in the array -->
  <?php
  $servername = "localhost";
  $username = "";
  $password = "";
  $dbname = "domainhistory";
  $con=new mysqli($servername,$username,$password,$dbname);
  if($con->connect_error)
  {
        echo 'Connection Faild: '.$con->connect_error;
  }
  else
  {
  }
  echo "<table>";
  echo "<tr>";
  echo "<th> ID </th>";
  echo "<th> Domain</th>";
  echo "<th> Date </th>";
  echo "</tr>";

## - loops through the ID array, and then prints out the data relating to that ID.
  for ($i = 0; $i < count($idArray); $i++)
        {
                        $sql="SELECT * FROM history WHERE id LIKE '%{$idArray[$i]}%'";
                        $result=$con->query($sql);

                                        while($row=$result->fetch_assoc())
                                        {
                                                 echo "<tr>";
                                                 echo "<td><pre>".$row["id"]."</pre></td>";
                                                 echo "<td><pre>".$row["date"]."</pre></td>";
                                                 echo "<td><pre>".$row["domain"]."</pre></td>";
                                                 echo " <td><form method="POST" action="showhistory.php">
                                                       <input type="hidden" name="id_director" value=".$row["id"]"
                                                       </form></td> ";         
                                        }
                }
                echo "</table>";
                mysqli_close($conn);

   ?>


</body>
</html>

Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) prepared statements with bound parameters as described in [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). — Alex Howansky, Jun 09 '17 at 18:02
There is no INSERT statement in this code?, my understand from that and the post you shared is you are only vunerable when INSERT'ing into a MYSQL table? (I know its off topic, but would be handy to have clarification) — TheOne745665, Jun 09 '17 at 18:07
No, SQL injection can occur on any statement. Note what your query will be if `$domain` is `'; DROP TABLE history;--` — Alex Howansky, Jun 09 '17 at 18:10
Ah i see, where you mean. Its not relevant to this application as it will be on a closed network only accessiable from our office IP, but it is always handy to know best practice. — TheOne745665, Jun 09 '17 at 18:14
You need to escape your quotes, and you're also not closing your `input` tag. — WheatBeak, Jun 09 '17 at 18:33

score 0 · Accepted Answer · answered Jun 09 '17 at 18:21

0

You should use ' instead of " for your string in php, because you have the " used in the html markup and the " you use for echo.

answered Jun 09 '17 at 18:21

jeremy

309
2
9

There is alot of "" flying around, are you refering to around the
(so the POST and showhistory) parts? If so I have just tried this and get an (T_CONSTANT_ENCAPSED_STRING), expecting error
– TheOne745665 Jun 09 '17 at 18:24
while($row=$result->fetch_assoc()) { echo '"; echo ''.$row["id"].''; echo ''.$row["date"]."'; echo ''.$row["domain"].''; echo '

'; } Something like this. You can keep the " used for the html markup and ' for the quoting of the php string for the echo – jeremy Jun 09 '17 at 18:26
This worked and got rid of the error, the page now loads however I can not see the button. It should appear as the 4th collum. – TheOne745665 Jun 09 '17 at 18:32
You just define only 3 columns for your table ID, Domain and Date. And inside your form there is only an input hidden field. – jeremy Jun 09 '17 at 18:43

Passing a mysql row inside of a PHP/HTML Form

1 Answers1