Pass a string through jQuery AJAX to PHP

Question

I have an AJAX code that posts an ID to a PHP page, a year, and a semester, and at the success function. I console the data in order to see the JSON array but it only shows the JSON array when I don't put the semester into the AND clause of PHP. My code:

AJAX:

$(document).ready(function() {
    $("#semester").change(function() {
        $("#year").change(function() {
            $('.searchBtn').click(function() {
                var id = this.id;
                var year = $("#year option:selected").val();
                var semester = $("#semester option:selected").val();

                console.log(id);
                console.log(semester);
                console.log(year);

                $.ajax({
                    traditional:true,
                    url: "getLoad.php",
                    method: "POST",
                    data:{
                        id:id,
                        semester:semester,
                        year:year
                    },
                    dataType: "JSON",
                    success:function(data){
                        console.log(data);
                        $("#studentLoad").css("display","block");
                       // $("#courseCode").text(data.sem);
                    }
                });
            });
        });
    });
});

PHP:

<?php
require("connect.php");
$query = "SELECT * FROM stud_enrollment AS se JOIN subjectschedule AS s ON se.subjectscheduleid = s.subSchedID JOIN subject AS sub ON sub.subjectID = s.subjectid WHERE se.studentid = {$_POST['id']} AND s.academic_year_start = {$_POST['year']} AND s.semester = {$_POST['semester']}";
$retval = mysqli_query($db, $query);
$data = array();
while($row = mysqli_fetch_assoc($retval)) {
    $data[] = $row;
}
echo json_encode($data);
?>

Removing the semester from the AND clause will allow the data to appear in the console but adding it will do the opposite.

Just FYI, you should really look in to using prepared statements as your code is wide open to a lot of different attacks. — Rory McCrossan, Mar 22 '18 at 11:40
`$("#year option:selected").val()` is the same as `$("#year").val()` — u_mulder, Mar 22 '18 at 11:41

score 0 · Answer 1 · answered Mar 22 '18 at 12:17

As everybody said you should prepare your query, you can easily be being a victim of MYSQL Injection.

Have a look:

http://php.net/manual/en/mysqli.prepare.php

and

https://www.w3schools.com/sql/sql_injection.asp

The code seems fine, are you sure your dataset is correct? I mean, have you checked if exists a row which satisfies that criteria?

I'd re-write your query as per:

$query = "SELECT * FROM stud_enrollment AS se JOIN subjectschedule AS s ON se.subjectscheduleid = s.subSchedID JOIN subject AS sub ON sub.subjectID = s.subjectid WHERE se.studentid = ? AND s.academic_year_start = ? AND s.semester = ?";


$mysqli = new mysqli("localhost", "my_user", "my_password", "world");

$stmt = $mysqli->prepare($query);

/* bind parameters */
$stmt->bind_param("i", $_POST['id']);
$stmt->bind_param("i", $_POST['year']);
$stmt->bind_param("s", $_POST['semester']);

/*execute the query*/
$stmt->execute();

// Extract result set and loop rows
$result = $stmt->get_result();
while ($res = $result->fetch_assoc())
{
    $data[] = $res;
}

/* close statement */
$stmt->close();

echo json_encode($data);

Pass a string through jQuery AJAX to PHP

1 Answers1