0

I am creating a report which can display a chart dynamically when i modify the variable, what i do will follow the below step: 1. input the variable date in the index.html form and pass the start date and end date to the get_data.php 2. get_data.php will base on the post variable date and run the sql and get the array. 3. base on the array from get_data.php will back to the index.html and display as a chart. All this will only happen in the index.html, won't go to get_data.php

The error I am facing is that I can run the get_data.php correctly but the result can't pass back to the index.html and display correctly. My code as below:

index.html

<script type="text/javascript" src="https://canvasjs.com/assets/script/jquery-1.11.1.min.js"></script>
<script type="text/javascript" src="https://canvasjs.com/assets/script/canvasjs.min.js"></script> 
<script type="text/javascript">
window.onload = function () {
 var chart = new CanvasJS.Chart("chartContainer", { 
  theme: "theme2",
  title: {
   text: "User"
  },
  data: [
  {
   type: "column",
   dataPoints: [
    <?php require('last_month_report.php'); echo str_replace("}{", "},{", $dataset);?>
     
   ]
  }
  ]
 });
 chart.render();

 $("#apply").click(function() {
 var data = $("#report :input").serializeArray();
 $.post( $("#report").attr("action"), data, function(updatedata) {
            dataPoints.push(updatedata);
        chart.render();
        updateChart();
    });
 });

 $("#report").submit( function() {
  return false;
 }); 
};
</script>
<!DOCTYPE html>
<html> 
<body>
    <form action="get_data.php" method="post" id="report">
        <input type="date" name="start_date" id="start_date">
        <input type="date" name="end_date" id="end_date">
        <button id="apply" type="submit">Apply</button>
    </form>
    <div id="chartContainer"></div>
</body>
</html>

get_data.php

<?php
$start_date = $_POST[start_date];
    $end_date = $_POST[end_date];
    $link=mysql_connect('localhost','root','123');
    mysql_set_charset('utf8', $link);
    $selectdb=mysql_select_db('test',$link);
    $sql="SELECT date,  user FROM `report` WHERE date >= '$start_date' and date <= '$end_date'";
    $result = mysql_query($sql, $link);

    $init=0;
    $num=mysql_num_rows($result);
    while ($init < $num) {
     $row=mysql_fetch_array($result);
     $dataset = $dataset . '{label: "' . $row[date] . '",y: ' . $row[date] . '}';
     $init++;
    }
?>
Anson_15
  • 1
  • 1
  • 1
    1. `$_POST[index]`won't work but `$_POST["index"]`will. 2. **Stop** using deprecated `mysql_*` API. Use `mysqli_*` or PDO – B001ᛦ Nov 10 '17 at 15:35
  • Don't use the `mysql_*` functions. They have been deprecated since v5.5 (Jun 2013) and removed since v7.0 (Dec 2015). Instead use the [**mysqli_***](https://secure.php.net/manual/en/book.mysqli.php) or [**PDO**](https://secure.php.net/manual/en/book.pdo.php) functions with [**prepared statements**](https://secure.php.net/manual/en/pdo.prepare.php) and [**bound parameters**](https://secure.php.net/manual/en/pdostatement.bindparam.php). – Alex Howansky Nov 10 '17 at 15:37
  • Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) drivers. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Nov 10 '17 at 15:37
  • @AlexHowansky I tried to test the get_data.php it works correctly but what I facing is that the result can't pass back to the index.html and display correctly – Anson_15 Nov 11 '17 at 16:16

1 Answers1

0

these wont work

     $start_date = $_POST[start_date];
     $end_date = $_POST[end_date];

missing " " should be

     $start_date = $_POST["start_date"];
     $end_date = $_POST["end_date"];
Alexander Omoruyi
  • 338
  • 8
  • 30