PHP: javascript alert, with value from sql query, into IF condition

Question

With the following code, a popup table should appear with sql query data, only when retrieved records are greater than 1.

$sql = "SELECT * FROM pt_locations WHERE country = ('$countryCode') AND location = ('$cityCode')";
$result = $conn->query($sql);

$rowcount=mysqli_num_rows($result);

$message = "Records found: " . $rowcount . "<br /><br />";

if ($rowcount > 1) {

echo '<script language="javascript">';
echo 'alert' .$message;

foreach($result as $val){ 

$id_country = $val["country"] ;
$id_code = $val["code"] ;
$id_location = $val["location"] ;
$id_latitude = $val["latitude"] ;
$id_longitude = $val["longitude"] ;

echo "<table border='1' cellpadding='5'>";
echo "<tr>";
echo "<td><i><strong>ID Code</strong></i></td><td>";
echo $id_code."</td>";
echo "<td><i><strong>Country</strong></i></td><td>";
echo $id_country."</td>";
echo "<td><i><strong>Code</strong></i></td><td>";
echo $code."</td>";
echo "<td><i><strong>Location</strong></i></td><td>";
echo $id_location."</td>";
echo "<td><i><strong>Latitude</strong></i></td><td>";
echo $id_latitude."</td>";
echo "<td><i><strong>Longitude</strong></i></td><td>";
echo $id_longitude."</td>";
echo "</tr>";
echo "</table><br /><br />";
} 
echo '</script>'; 
}

Recording counts are done correctly, but I can not make the popup appear in any way.

This is extremely bad practice of mixing server and client side scripting. — Sterling Archer, Nov 17 '17 at 20:26
Will HTML in a `script` tag work? I've never seen that. Also the `alert` should be `alert('string');`. Please also parameterize your query. @VinaySharma Good point, although that is only 1 of many issues this user is going to have. — chris85, Nov 17 '17 at 20:29
Note: The object-oriented interface to `mysqli` is significantly less verbose, making code easier to read and audit, and is not easily confused with the obsolete `mysql_query` interface. Before you get too invested in the procedural style it’s worth switching over. Example: `$db = new mysqli(…)` and `$db->prepare("…")` The procedural interface is an artifact from the PHP 4 era when `mysqli` API was introduced and should not be used in new code. — tadman, Nov 17 '17 at 20:31
**WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](http://bobby-tables.com/). **NEVER** put `$_POST`, `$_GET` or **any** user data directly into a query, it can be very harmful if someone seeks to exploit your mistake. — tadman, Nov 17 '17 at 20:31
An `alert` prompt definitely won't support formatting like that. — Patrick Q, Nov 17 '17 at 20:31
Alert will show any HTML as plain text. Make a `
` and pop it open with some jQuery or CSS animation. — tadman, Nov 17 '17 at 20:32
Precisely by deleting the allert script, the foreach table is displayed correctly. The problem is I can not make it become a popup. — Idea Project, Nov 17 '17 at 20:34
The line with `echo "alert"` should throw JavaScript exception as the valid syntax is `alert()`, check the debug console output. Learn also about [SQL injections](https://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work/332367#332367), the code most probably introduces a very classical one. — void, Nov 17 '17 at 20:37
In the console I find the following error: Uncaught SyntaxError: Unexpected identifier. — Idea Project, Nov 17 '17 at 20:43

Vinay Sharma · Answer 1 · 2017-11-17T20:41:38.057

try this. Hope this help you.

 $sql = "SELECT * FROM pt_locations WHERE country = ('country') AND 
location = ('location')";
$result = $conn->query($sql);

$rowcount=mysqli_num_rows($result);

$message = "Records found: " . $rowcount;

if ($rowcount > 1) {

echo '<script language="javascript">';
echo 'alert("'.$message.'")'; 
 echo '</script>';

while($val=mysqli_fetch_assoc($result)){ 

$id_country = $val["country"] ;
$id_code = $val["code"] ;
$id_location = $val["location"] ;
$id_latitude = $val["latitude"] ;
$id_longitude = $val["longitude"] ;

echo "<table border='1' cellpadding='5'>";
echo "<tr>";
echo "<td><i><strong>ID Code</strong></i></td><td>";
echo $id_code."</td>";
echo "<td><i><strong>Country</strong></i></td><td>";
echo $id_country."</td>";
echo "<td><i><strong>Code</strong></i></td><td>";
echo $code."</td>";
echo "<td><i><strong>Location</strong></i></td><td>";
echo $id_location."</td>";
echo "<td><i><strong>Latitude</strong></i></td><td>";
echo $id_latitude."</td>";
echo "<td><i><strong>Longitude</strong></i></td><td>";
echo $id_longitude."</td>";
echo "</tr>";
echo "</table><br /><br />";
}  
}

There's some stray characters in here because the syntax highlighting is busted. — tadman, Nov 17 '17 at 20:31
@IdeaProject what kind of popup you are using. by the above code an alert and table will appear. Please update the sql query. — Vinay Sharma, Nov 17 '17 at 20:43

score 0 · Answer 2 · 2017-11-17T22:31:56.510

There are some errors, because for logic you must put the alert at the end of the table complete, just for logic and after you put alert something without brakets and you open a script before the foreach loop and after the foreach loop you close the script, this is absolutley wrong, another error is in the $message, you are using br inside an alert javascript that isn't recognize as html but just like characters at the least you can use unicode \n\t not br, i used also a setTimeout,but works also without setTimeout. Sometimes can result essential use javascript injection inside the php for example to autofill of some forms and input select or to call a change event from external compilation of other application that pass variables in get and need to autofill a form, but i think in this case is not necessary do a javascript injection you can print the total Records just in the page, btw... The code under works Bye

        $message = "Records found: " . $rowcount." \\n\t\\n\t";
        if ($rowcount > 1) {

            foreach($result as $val){ 
                //var_dump($val);
                $id_country = $val["country"] ;
                $id_code = $val["code"] ;
                $id_location = $val["location"] ;
                $id_latitude = $val["latitude"] ;
                $id_longitude = $val["longitude"] ;

                echo "<table border='1' cellpadding='5'>";
                echo "<tr>";
                echo "<td><i><strong>ID Code</strong></i></td><td>";
                echo $id_code."</td>";
                echo "<td><i><strong>Country</strong></i></td><td>";
                echo $id_country."</td>";
                echo "<td><i><strong>Code</strong></i></td><td>";
                echo $code."</td>";
                echo "<td><i><strong>Location</strong></i></td><td>";
                echo $id_location."</td>";
                echo "<td><i><strong>Latitude</strong></i></td><td>";
                echo $id_latitude."</td>";
                echo "<td><i><strong>Longitude</strong></i></td><td>";
                echo $id_longitude."</td>";
                echo "</tr>";
                echo "</table><br /><br />";
            } 
            $jvsVar = "<script type='text/javascript'>;setTimeout(function(){alert('$message');},100)</script>";
        echo $jvsVar; 
        }

PHP: javascript alert, with value from sql query, into IF condition

2 Answers2