0

The following code displays a BLANK PAGE when I hit the submit button. I have not a single idea what's wrong. Help check please..

The code below:

//The html code

<form method="post" action="dutydata.php">
   <input type="text" placeholder="provide unique code">
   <input type="submit" name="verify">
</form>

//the php code

<?php
    $conn = mysqli_connect("localhost", "root", "", "army_duty");
    $set = $_POST['verify'];
    if($set) {
        $show = "SELECT * FROM profile where military_number = '$set' ";
        $result = mysqli_query($conn, $show);
        while ($row = mysqli_fetch_array(result)) {
            echo $row['military_number'];
            echo $row['first_name'];
            echo $row['last_name'];
            echo $row['paygrade'];
            echo $row['duty_status'];
            echo $row['photo'];
            echo "<br/>";
        }
    } else {
      echo "Military Number not found";
    }
?>
Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
Bubu
  • 1
  • 5
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Oct 23 '17 at 21:38
  • 1
    Have you checked your error logs? You're making an assumption the query is working. Add error checking, such as `or die(mysqli_error($conn))` to your queries. – Jay Blanchard Oct 23 '17 at 21:39

1 Answers1

0

First, your input for the code needs a name:

<input type="text" name="code" placeholder="provide unique code">

This is what you will use in the query because $_POST['verify'] does not contain any value that you would want to use.

Second, you will want to use the $_POST['code'] number in your query:

$code = $_POST['code'];
if($set) {
    $show = "SELECT * FROM profile where military_number = '$code' ";

Make sure to check for errors:

$result = mysqli_query($conn, $show) or die(mysqli_error($conn));

If you want to know if something was returned from the query you test the result. Since you are only getting one record you can skip the while() loop:

if($result) {
    $row = mysqli_fetch_array($result);
    echo $row['military_number'];
    echo $row['first_name'];
    echo $row['last_name'];
    echo $row['paygrade'];
    echo $row['duty_status'];
    echo $row['photo'];
    echo "<br/>";
} else {
    echo "Military Number not found";
}

Warning!

Little Bobby says your script is at risk for SQL Injection Attacks. Learn about prepared statements for MySQLi. Even escaping the string is not safe!

Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
  • 1
    Thanks Jay. It worked! Only that I noticed another little problem. When I insert a wrong code (ie one that doesn't exist in the database), it displays a blank page instead of echoing the error message I defined for it. – Bubu Oct 23 '17 at 22:05
  • That's because your `else` is tied to `set`, not the result of the query. – Jay Blanchard Oct 23 '17 at 22:10
  • Forgive me but that doesn't seem to be the reason. Firstly it isn't tied to set, It's outside the set braces. Although I have tweaked it around just to make sure I did what you've asked but no chance. Still didn't work please. – Bubu Oct 23 '17 at 22:30
  • Still no help with that. I have checked and crosschecked – Bubu Oct 23 '17 at 23:45
  • Apologies, I was away after I left the last comment. With your code indented (as edited above) the `else` is the companion to `if($set)`, so you are testing the wrong item. I'll edit my code to show you what you should be after. – Jay Blanchard Oct 24 '17 at 11:45