0

I am trying to make php search my database of parts by a part number that is generated in the html page and then output the price into a cell.
Here is my Ajax script and variable

var Row = document.getElementById("test2");
var Cells = Row.getElementsByTagName("td");
$myPartNumber = Cells[1].innerText;

$.ajax({
type: 'POST',
url: "http://localhost/filenamehere.php",
data: { Part_Number : $myPartNumber },
dataType: 'html',
async: true,
success: function(data) {
    $('#price').html(data);
}
});
}

Here is my PHP code

$result = mysqli_query($con,"SELECT * FROM nipple_list where Part_Number='$myPartNumber' ");

echo "<table border='1'>
<tr>
<th>LDS Price $</th>
</tr>";

while($row = mysqli_fetch_array($result))
{
echo "<tr>";
echo "<td>" . $row['LDS_Price_$'] . "</td>";
echo "</tr>";
}
echo "</table>";

I keep getting errors and warnings like

Notice: Undefined variable: myPartNumber in C:\Apache24\htdocs\filenamehere.php on line 10

Praveen Kumar Purushothaman
  • 164,888
  • 24
  • 203
  • 252
Chase Price
  • 69
  • 7
  • change `"SELECT * FROM nipple_list where Part_Number='$myPartNumber' "` to `"SELECT * FROM nipple_list where Part_Number='$_POST['Part_Number']' "` – bassxzero Sep 20 '17 at 17:09
  • 1
    Also you should be using prepared queries. – bassxzero Sep 20 '17 at 17:10
  • I got this error: Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in C:\Apache24\htdocs\filenamehere.php on line 10 – Chase Price Sep 20 '17 at 17:11
  • Sorry this `"SELECT * FROM nipple_list where Part_Number='{$_POST['Part_Number']}'"` – bassxzero Sep 20 '17 at 17:13
  • 1
    And here http://php.net/manual/en/mysqli.prepare.php – bassxzero Sep 20 '17 at 17:14
  • The database has over 1,000,000 different custom parts so I don't see the point in using a prepared query – Chase Price Sep 20 '17 at 17:14
  • It worked!!!!! Thank You so much!! – Chase Price Sep 20 '17 at 17:15
  • https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 – bassxzero Sep 20 '17 at 17:16
  • **WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](http://bobby-tables.com/). **NEVER** put `$_POST`, `$_GET` or **any** user data directly into a query, it can be very harmful if someone seeks to exploit your mistake. – tadman Sep 20 '17 at 17:25

1 Answers1

2

Since you are using post in your ajax your values will be in the $_POST global in your PHP script.

change

"SELECT * FROM nipple_list where Part_Number='$myPartNumber'"

to

"SELECT * FROM nipple_list where Part_Number='{$_POST['Part_Number']}'"

Also you're at risk of a sql injection, you should be using prepared queries. How can I prevent SQL injection in PHP?

bassxzero
  • 4,838
  • 22
  • 34
  • I set on MySQL that the user "guest" has only the Select privilege for only that table and I have limited the amount of connections is that a good thing to do? – Chase Price Sep 20 '17 at 18:10
  • @ChasePrice in general the principle of least privilege is a good policy, but I don't think it's going stop everything in all cases. Do yourself a favor and just use prepared queries. It's quick and painless if you start using them from the beginning. – bassxzero Sep 20 '17 at 18:18
  • Okay Thanks, I really appreciate all the help!! – Chase Price Sep 20 '17 at 18:19