PHP : get response fro $.ajax call

Question

I want to fetch data based on ajax call

this is my code to get the id

<h3> <a class='click' data-id='<?=$rows["id"];?>'><?=$rows['title'];?></a</h3>

This is my jquery code

 $(document).ready(function() {

    $(".click").on('click',function() {                
      var id= $(this).attr("data-id"); 
      alert(id);

      $.ajax({     
        type: "POST",
        url: "getevents.php", 
        data: {id:id}, 
        dataType: "html",                  
        success: function(response){                    
            console.log(response); 

        }
     });
 })})  
</script>

getevents.php

 <? 
    if(isset($_POST['id'])){
        echo  $_POST['id'] ; 
    }

    $singleevent = mysqli_query($link, 'SELECT * FROM `events` WHERE `id`=."'$id'"  ') or die('error');
    while($row=  mysqli_fetch_array($link , $singleevent)){
            print_r($row); 
    }

  ?>

$_POST['id']; gets printed in console but not the response . i tried echo and print_r() both in while loop but nothing is in response .

Please help me with this

[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, Oct 04 '17 at 12:58
Have you checked the network tab of the developer tools to see what was sent and what was returned? Are you connecting to the database and just shortening the code for us in getevents.php? — Jay Blanchard, Oct 04 '17 at 12:59
For one thing, there's no need for a `while` loop *and* a `print_r()`. — Funk Forty Niner, Oct 04 '17 at 13:01
Along with the other things mentioned, there's a syntax error in your query — Patrick Q, Oct 04 '17 at 13:02
https://stackoverflow.com/questions/14918462/get-response-from-php-file-using-ajax read this — Aleksei Maide, Oct 04 '17 at 13:03
where is `$link` and `$id` also test by replacing `$_POST` to `$_REQUEST` and put id in url like `xyz.com?id=1` — Niklesh Raut, Oct 04 '17 at 13:05
Check out my answer here and don't worry that the question is about IIS and ASP, the methodology for debugging AJAX is the same regardless of your server-side technology, https://stackoverflow.com/questions/21533285/why-the-ajax-script-is-not-running-on-iis-7-5-win-2008-r2-server/21617685#21617685 — MonkeyZeus, Oct 04 '17 at 13:13

score 0 · Answer 1 · edited Jun 20 '20 at 09:12

0

There are a couple of problems in your PHP. First, you forget to reassign the variable, then you improperly concatenate the variable in your query. You also probably do not want the query to run if the id is not set, so you need to re-arrange your brackets:

<? 
    if(isset($_POST['id'])){
        $id =  $_POST['id'] ; // set the variable for the query
        $singleevent = mysqli_query($link, "SELECT * FROM `events` WHERE `id` = $id") or die('error');
        $row=  mysqli_fetch_array($singleevent, MYSQLI_ASSOC);
        print_r($row); 
    }
?>

I am assuming that your $link is a good and correct connection to your database. You also do not need a while loop, assuming that the id selects a single row of data. You also need to fetch the array properly, using the result of the query and MYSQLI_ASSOC like this:

$row=  mysqli_fetch_array($singleevent, MYSQLI_ASSOC);

Which I have included in the code block.

NOTE

If PHP short tags are not enabled you will need to change <? to <?php

WARNING

Little Bobby says your script is at risk for SQL Injection Attacks. Learn about prepared statements for MySQLi. Even escaping the string is not safe!

edited Jun 20 '20 at 09:12

Community

1
1

answered Oct 04 '17 at 13:15

Jay Blanchard

34,243
16
77
119

Just one small point here. If you're going to use `isset()` as the check instead of `empty()` (and I'm not arguing that choice, since 0 could be a valid id value), then you really should parameterize or quote the value in the query. It is possible for the parameter to be sent, but empty, which would break the query the way you have it now. – Patrick Q Oct 04 '17 at 13:27
You're correct, which is why I included the warning @PatrickQ. I expect the id is an integer of some sort, so didn't get overly worried about it. – Jay Blanchard Oct 04 '17 at 13:28
Okay, but I wouldn't consider an empty value to be an SQL injection attack. I really don't want to be _that guy_, but with the (perfectly valid) comments you left on the other answers, I would have expected a more robust answer, that actually _shows_ the right way to do it, not just saying that the way presented is not safe. /steps down from soapbox – Patrick Q Oct 04 '17 at 13:33
FWIW @PatrickQ I debated in my head whether or not to rewrite the OP's code and then took into consideration his rep, which means he has been around the block a little, before deciding to provide the essentials and including the information to make it all correct. This stems from a discussion on META about code rewrites. I appreciate your comments. – Jay Blanchard Oct 04 '17 at 13:43

PHP : get response fro $.ajax call

1 Answers1

NOTE

WARNING