php : Get select values and run a sql query

Question

I am new to php. I would want to get the values selected by the user from 2 different select options.
CODE:

<?php
// Create database connection
$db = mysqli_connect("localhost", "root", "", "organisation");
if (isset($_POST['submit'])) {
    $from_date = $_POST['from_date'];
    $to_date =$_POST['to_date'];
    $result = mysqli_query($db, "SELECT * 
                                FROM images 
                                WHERE year >= '$from_date' 
                                AND year <= '$to_date';");
} 
?>
<!DOCTYPE html>
<html>
<head>

<title>Gallery</title>
<meta charset="utf-8">
</head>
<body>
    <div id="header"></div><br>
        <form action="#" method="post">
            <select name="from_date">
                <option value="2018-01-01">2018-01-01</option>
                <option value="2019-01-01">2019-01-01</option>
                <option value="2020-01-01">2020-01-01</option>
                <option value="2021-01-01">2021-01-01</option>
                <option value="2022-01-01">2022-01-01</option>
            </select> BETWEEN
            <select name="to_date">
                <option value="2018-12-31">2018-12-31</option>
                <option value="2019-12-31">2019-12-31</option>
                <option value="2020-12-31">2020-12-31</option>
                <option value="2021-12-31">2021-12-31</option>
                <option value="2022-12-31">2022-12-31</option>
            </select>
            <input type="submit" name="submit" value="SUBMIT" />
<?php
    while ($row = mysqli_fetch_array($result)) {
        echo "<div id='img_div'>";
            echo "<img src='images/".$row['images']."' >";
        echo "</div>";
    } 
?>
        </form>
</body>
</html>

I have a feeling that I am making a veryy silly mistake, but I have been going through the net for the last 2 hours and it's driving me crazy, pls help.

First, you're at risk of [sql injection](http://bobby-tables.com/), second, what's not working? — Federico klez Culloca, Jun 22 '18 at 10:59
Now that I see it: `if (isset($_POST['submit'])) {` this doesn't make any sense, just remove it — Federico klez Culloca, Jun 22 '18 at 11:00
removing if (isset($_POST['submit'])) { gives the following error: Notice: Undefined index: to_date, from_date — B Banner, Jun 22 '18 at 11:02
Your while loop requires the `$result`, which will only exist after the form is submitted. So check that your form is actually "closed" before submitting. Try enabling error_reporting/display_errors. — JustBaron, Jun 22 '18 at 11:03
Bobby Tables will have his pound of flesh. http://bobby-tables.com/ — GordonM, Jun 22 '18 at 11:03
share value of column `year` and sql query `echo "SELECT * FROM images WHERE year >= '$from_date' AND year <= '$to_date';"` ? — Niklesh Raut, Jun 22 '18 at 11:07
@C2486 I have checked the query manually, it is working perfectly. — B Banner, Jun 22 '18 at 11:09
Then share value of column `year` ? Once again I request to share query ? — Niklesh Raut, Jun 22 '18 at 11:10
Guys the date is obviously OK as it is selected from the 2 dropdowns and the values are in the correct format for a MySQL query — RiggsFolly, Jun 22 '18 at 11:11
@RiggsFolly : I doubted like this `from_date : 2019-01-01` to `to_date: 2018-12-31`. Also there is no check to make `to_date` always greater than `from_date`, and As per the image there is only 3 row/records. So was confirming that which date parameter he is using. — Niklesh Raut, Jun 22 '18 at 11:14
@RiggsFolly uh? Since when does one have to check if the submit button was sent via POST? — Federico klez Culloca, Jun 22 '18 at 11:23
@FedericoklezCulloca You always need to check if the form was submitted so you dont run code that is dependant on `$_POST` containing something when the form is first run, from a link or by manually putting the address in the browser address bar — RiggsFolly, Jun 22 '18 at 11:27
@BBanner What is actually the issue here? Check that your form tag is correctly closed, before you attempt to submit the form. Enable and display errors, it should give you some clues as to where you are going wrong. — JustBaron, Jun 22 '18 at 11:31
@RiggsFolly I get that, but it's the first time I've see it done via checking the submit button. Shouldn't one check all of the actually necessary inputs anyway? — Federico klez Culloca, Jun 22 '18 at 11:42
@FedericoklezCulloca Well yes or by checking `if($_SERVER['REQUEST_METHOD'] == 'POST'` but that runs the answer into a full tutorial — RiggsFolly, Jun 22 '18 at 11:44
@RiggsFolly I probably wasn't very clear, because my comment you told OP not to follow was about the weirdness of that submit button being checked. — Federico klez Culloca, Jun 22 '18 at 11:48

RiggsFolly · Accepted Answer · 2018-06-22T11:50:34.743

Right, you have to remember the life cycle of a page.

The first time this page is run, from a link on another page or directly by entering its address in the browser, it will not have been submitted and therefore there will be no data in the $_POST array.

You correctly check this at the top of the page by doing this

if (isset($_POST['submit']))

but that will not stop your database fetch code later in the page from running regardless, and therefore erroring as there is no valid $result.

There are many ways to rewite this, but this is possibly the simplest.

So I would suggest that you amend the code something like this to make sure you only run code dependant upon the form being submitted when it is actually being submitted.

<?php
// Create database connection
$db = mysqli_connect("localhost", "root", "", "organisation");
if (isset($_POST['submit'])) {
    $from_date = $_POST['from_date'];
    $to_date =$_POST['to_date'];
    $result = mysqli_query($db, "SELECT * 
                                FROM images 
                                WHERE year >= '$from_date' 
                                AND year <= '$to_date';");
} 
?>
<!DOCTYPE html>
<html>
<head>

<title>Gallery</title>
<meta charset="utf-8">
</head>
<body>
    <div id="header"></div><br>
        <form action="#" method="post">
            <select name="from_date">
                <option value="2018-01-01">2018-01-01</option>
                <option value="2019-01-01">2019-01-01</option>
                <option value="2020-01-01">2020-01-01</option>
                <option value="2021-01-01">2021-01-01</option>
                <option value="2022-01-01">2022-01-01</option>
            </select> BETWEEN
            <select name="to_date">
                <option value="2018-12-31">2018-12-31</option>
                <option value="2019-12-31">2019-12-31</option>
                <option value="2020-12-31">2020-12-31</option>
                <option value="2021-12-31">2021-12-31</option>
                <option value="2022-12-31">2022-12-31</option>
            </select>
            <input type="submit" name="submit" value="SUBMIT" />
        </form>
<?php
// check you have something to process
if (!empty($result) {
    while ($row = mysqli_fetch_array($result)) {
        echo "<div id='img_div'>";
            echo "<img src='images/".$row['images']."' >";
        echo "</div>";
    }
} 
?>
</body>
</html>

I also moved your </form> tag so that the form gets correctly closed before outputting the images.

You may also find that the query returns nothing as it is possible to enter a start date that is greater than the end date using the dropdowns, but that is just a matter of adding a check for this.

Also your script is wide open to SQL Injection Attack Even if you are escaping inputs, its not safe! Use prepared parameterized statements in either the MYSQLI_ or PDO API's

You would do that by

$stmt = $db->prepare("SELECT * 
                      FROM images 
                      WHERE year >= ?
                      AND year <= ?";
$stmt->bind_param('ss', $from_date, $to_date);
$stmt->execute();
// get resultset from prpared statement
$result = $stmt->get_result();

Sachin Ingale · Answer 2 · 2018-06-22T11:18:39.760

-1

please refer to this code, it will help you. https://www.sourcecodester.com/php/11560/how-select-data-between-two-dates-phpmysql.html

edited Jun 22 '18 at 11:18

answered Jun 22 '18 at 11:08

Sachin Ingale

96
3

I see you are short of reps, but this is really just a comment. This type of answer attracts downvotes or gets flagged ___I did not DV___ and if that happens you will loose rep points and take longer to get to the 50 reps you need to comment on any question. Until then, stick to questions that are well asked and therefore easily answered without needing clarification. http://meta.stackexchange.com/questions/214173/why-do-i-need-50-reputation-to-comment-what-can-i-do-instead – RiggsFolly Jun 22 '18 at 11:13

php : Get select values and run a sql query

2 Answers2