How to show all matching results from the query?

Question

I am looking to have what my 'echo' line is but if there is more than one match to the FSC/NIIN field then it should show me the additional matches.

There is more than one part number listed for some FSC/NIIN fields, I am working towards having it show those additional part numbers that match the stock number (FSC/NIIN).

<?php

require "conn.php";
$FSC = $_POST["FSC"];
$NIIN = $_POST["NIIN"];
$mysql_qry = "select * from MYTAB where FSC like '$FSC' and NIIN like '$NIIN';";
$result = mysqli_query($conn, $mysql_qry);

if (mysqli_num_rows($result) > 0) {
    $row = mysqli_fetch_assoc($result);
    $PART_NUMBER = $row["PART_NUMBER"];
    $FSC = $row["FSC"];
    $NIIN = $row["NIIN"];
    $ITEM_NAME = $row["ITEM_NAME"];

    echo $ITEM_NAME, ", " .$PART_NUMBER, ", " .$FSC, ", " .$NIIN;
} else {
    echo "Query Failed! - No such NSN is loaded to the database! Please double 
check the information is correct and resubmit request...";
}

mysqli_close($con);

[Little Bobby](http://bobby-tables.com/) says **[your script is at risk for SQL Injection Attacks](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)**. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — rollstuhlfahrer, Jan 23 '18 at 18:32
`while ($row = mysqli_fetch_result($result)) { ...code here }` — Blue, Jan 23 '18 at 18:33
I was unaware of SQL Injection Attacks, I'll have to do some digging into it. For my application, the connection username will only have read rights. Should I still worry? — , Jan 23 '18 at 18:44
@Newb2Java yes, because an attacker can still read all tables that are accessible by your database user. — rollstuhlfahrer, Jan 23 '18 at 18:52
@rollstuhlfahrer, Wow thats crazy, I'll need to work on this for sure then. — , Jan 23 '18 at 18:54

score 0 · Accepted Answer · answered Jan 23 '18 at 18:33

0

You need to loop the results:

....
if(mysqli_num_rows($result) > 0) {
    while($row = mysqli_fetch_assoc($result)) { //<-----
        $PART_NUMBER = $row["PART_NUMBER"];
        $FSC = $row["FSC"];
        $NIIN = $row["NIIN"];
        $ITEM_NAME = $row["ITEM_NAME"];

        echo $ITEM_NAME, ", " .$PART_NUMBER, ", " .$FSC, ", " .$NIIN;
    }
} else {
...

And you should use prepared statements, take a look how to here: How can I prevent SQL injection in PHP?

answered Jan 23 '18 at 18:33

Felippe Duarte

14,901
2
25
29

If I'm reading that right then I basically need to have my Android application send the post request in the URLEncoder.encode string to the server?? As I've said I'm pretty new to writing code, so if I can learn the right way to patch holes before they become an issue thats a big plus for me :) – Jan 23 '18 at 18:52
1

I'm not a Android programmer, but I guess you are right. All you need is to send a POST request to the PHP page and it will work. Follow the instructions to avoid SQL injection and then your code are OK to go to production (at least this piece). – Felippe Duarte Jan 23 '18 at 18:55
I'll have to do some playing around with it and see if I can make that happen then. Time for some trial and error haha. – Jan 23 '18 at 18:58

How to show all matching results from the query?

1 Answers1