PHP, MYSQL and hyperlinks - linking from one page to a detail page (same table)

Question

Not sure why this page doesn't seem to be working?

Trying to get the ID from the URL and use that to filter a table.

Example URL: http://example.com/page.php?id=123G

I'm getting 0 results when I type in that URL even though I know there is a match. Any ideas?

<html>
<head>
<style>table, th, td {border: 1px solid black;}</style>
</head>

<?php

$id = $_GET["id"];

$servername = "INSERTSERVER";
$username = "INSERTUSER";
$password = "INSERTPASSWORD";
$dbname = "INSERTDB";

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
} 


$pd = "

SELECT fac_id, pd, phone_pd 
FROM ft_location_db
WHERE fac_id = $id

";


$result = $conn->query($pd);

if ($result->num_rows > 0) {
echo "<table cellpadding=5 bgcolor=#FFFFFF><tr><th>PD</th><th>Phone</th>
</tr>";
// output data of each row
while($row = $result->fetch_assoc()) {
    echo "<tr><td>" . $row["pd"]. "</td><td>" . $row["phone_pd"]. "</td>
</tr>";
}
echo "</table>";
} else {
echo "0 results";
}






$conn->close();
?> 

</body>
</html>

If the identifier is `123G`, `fac_id` column seems to be a string datatype, right? — Syscall, Feb 27 '18 at 19:03
Actually figured this out. WHERE fac_id = $id needed to be WHERE fac_id = '$id' Very new to SQL and PHP. What is the deal with ' and "? Seems like I see things written different ways? — Talsma, Feb 27 '18 at 19:11

Syscall · Accepted Answer · 2018-02-27T19:40:46.653

1

Please, see the note in the bottom of the answer.

If fac_id is a string datatype, it should be wrapped.

$pd = "
SELECT fac_id, pd, phone_pd 
FROM ft_location_db
WHERE fac_id = '$id'
";

You have to use single quotes, because your query is written inside double quotes.

Using single quotes :

$pd = '
SELECT fac_id, pd, phone_pd 
FROM ft_location_db
WHERE fac_id = "' . $id . '"
';

But (and -very- important), I suggest you to take a look to How can I prevent SQL injection in PHP? to secure your queries.

$stmt = $conn->prepare('
    SELECT fac_id, pd, phone_pd 
    FROM ft_location_db
    WHERE fac_id = ?');
$stmt->bind_param('s', $id);
$stmt->execute();
$result = $stmt->get_result();

See also : bind_param()

edited Feb 27 '18 at 19:40

answered Feb 27 '18 at 19:16

Syscall

19,327
10
37
52

1

*"Because variable are not interpreted inside single quotes strings."* - Huh? – Funk Forty Niner Feb 27 '18 at 19:17
you sort of had it right, but what I said above in quoting you, needs to be edited or deleted. – Funk Forty Niner Feb 27 '18 at 19:20
Is this vulnerable to sql injection? I thought being a prepared statement I was okay?? Thanks! – Talsma Feb 27 '18 at 19:27
@FunkFortyNiner I've removed this sentence. It's probably a mistake about my translation. But I don't what was my error here. Can you enlighten me please? Thank you very much. – Syscall Feb 27 '18 at 19:28
@Talsma Yes, it is vulnerable. Use prepared statements, as soon as possible :) – Syscall Feb 27 '18 at 19:29
@Syscall it might have just been a language barrier; no worries. – Funk Forty Niner Feb 27 '18 at 19:30
@Syscall Can you provide an example using above code using MySQLi and prepared statements? Would really appreciate it!! – Talsma Feb 27 '18 at 19:37
@Talsma You have some examples in the given link. I've updated the anwser to use your context (not tested). – Syscall Feb 27 '18 at 19:41

PHP, MYSQL and hyperlinks - linking from one page to a detail page (same table)

1 Answers1