0

This is my PHP code

// category filter
    if(!isset($_POST['products']) || $_POST['products'] == ""){
        $category_filter = "";
    } else {
        $category_filter = " AND cat_id='".$_POST['products']."'";
    }

// offers filter
    if($_POST['offer'] != "YES")
    {
        $offer_filter = "";
    } else {
        $offer_filter = " AND offer=1"; 
    }

    $sql = $db->get_rows("
        SELECT *, ( 3959 * ACOS( COS( RADIANS(".$_POST['lat'].") ) * COS( RADIANS( latitude ) ) * COS( RADIANS( longitude ) - RADIANS(".$_POST['lng'].") ) + SIN( RADIANS(".$_POST['lat'].") ) * SIN( RADIANS( latitude ) ) ) ) AS distance 
        FROM stores 
    WHERE status=1 AND approved=1 ".$offer_filter." ".$category_filter." 
    HAVING distance <= ".$_POST['distance']." 
    ORDER BY distance ASC 
    LIMIT 0,60");

I am looking to get the correct value for $offer_filter in my SQL query above as is perfectly happening for $category_filter. I think I am missing out something somewhere... please if someone can help me with this...

The following is my HTML Code in the php index file for the checkbox input...

<input type="checkbox" name="offer" value="Yes" onChange="cachesearch = '';$('#clinic-finder-form').submit();"> Discount Offers Available
Joshua
  • 40,822
  • 8
  • 72
  • 132
Kamal Joshi
  • 1
  • 1
  • 1
    Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) prepared statements with bound parameters as described in [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Alex Howansky Jun 13 '17 at 17:12
  • 1
    PHP is case-sensitive. You have `value="Yes"` in the HTML, but you test `$_POST['offer'] != "YES"`. Change them to be consistent and you should be OK. – Barmar Jun 13 '17 at 17:16
  • You could also just do `if (!isset($_POST['offer']))` since unchecked boxes aren't sent in the form. – Barmar Jun 13 '17 at 17:17
  • Thanks Barmar for your answer... I have tried both but what is happening is that both my checked as well as unchecked condition of the checkbox are throwing the same result e.g. when I am using (!isset($_POST['offer'])) both checked and uncheked box give me results that contain categories that are offering discounts as well as the one that do not offer discounts and if I change it to (isset($_POST['offer'])) both conditions show me the result of only categories offering the discounts :( – Kamal Joshi Jun 14 '17 at 00:34
  • Weather it is YES or Yes at both places it is not taking the value on posting.... No matter what value I am putting in both my HTML as well as my test condition it is not matching... I have even tried putting number 1 as the value of the checkbox... My observation is that on checking the box the value is not being read on submitting the form... Not able to understand why it is happening with only $_POST['offer'] – Kamal Joshi Jun 14 '17 at 01:14

0 Answers0