1

I'm currently coding an e-commerce website for a school project hosted by MAMP where I need to link the product boxes to a description page using the $_GET variable. When I click on the boxes, they all link to a details.php page successfully. However, the redirected page is blank and only has a background color and my nav bar. The php code doesn't echo any strings or variables or even the html text. I've used a php syntax checker to check the code and there is no error!! I'm so confused.

Would really appreciate the help.

The code below is the php text I have on my details page. 

   

 <?php
    if(isset($_GET['comp_id'])){

 $company_id = $_GET['comp_id'];
 
 $sql = "SELECT * FROM company WHERE id = '$company_id;";
 $result = mysqli_query($conn,$sql);
 
 while ($row = mysqli_fetch_array($result)){
  $comp_image = $row ['image'];
  $comp_name = $row ['name'];
  $comp_location= $row ['location'];
  $comp_position = $row ['position'];
  $comp_duration = $row ['duration'];
  $comp_description = $row['description'];
  $comp_applink= $row['form'];
  
  echo "
  <h1>Hello</h1>
  ";
 }
}
?>
amateur_coder
  • 11
  • 1
  • 2
    Your code is designed to not output anything if (1) that query string value isn't present, (2) the query returns no results, or (3) the query results in an error. You should check these conditions to see which one is happening. Additionally, be aware that your code is *wide open* to **SQL injection**. You're essentially allowing users to execute any code they want on your server. – David Aug 03 '18 at 14:01
  • Before your `while` statement, add a line like so: `echo "Num Rows = " . mysqli_num_rows($result);` Let me know what you get. I suspect either no matching rows found or a problem with your query. – Simon K Aug 03 '18 at 14:02
  • 1
    `$sql = "SELECT * FROM company WHERE id = '$company_id;";` Unclosed " ' ", it may make you have no results. – Chrzanek Aug 03 '18 at 14:09
  • you're open to SQL injection - especially when you're using $_GET in this way, man-in-the-middle could also be pos if this was an update statement - though they can select from the company table where id = any id – treyBake Aug 03 '18 at 14:38

3 Answers3

1
if(isset($_GET['comp_id'])){

    $company_id = $_GET['comp_id'];

    $sql = "SELECT * FROM company WHERE id = '$company_id'";
    $result = mysqli_query($conn,$sql);

    while ($row = mysqli_fetch_array($result)){
        $comp_image = $row ['image'];
        $comp_name = $row ['name'];
        $comp_location= $row ['location'];
        $comp_position = $row ['position'];
        $comp_duration = $row ['duration'];
        $comp_description = $row['description'];
        $comp_applink= $row['form'];

        echo "
        <h1>Hello</h1>
        ";
    }
}

Not the best way, your script is open to sql injection but for what you are trying to achive, and considering that $company_id is an integer this will do. Read for prepared statements in mysqli to make your code more secure. Your error was that you were missing a single quote BUT it can be way more problematic if you handle string data.

$stmt = $mysqli->prepare("SELECT * FROM company WHERE id =?")
$stmt->bind_param("i", $company_id);
$result=$stmt->execute();

This is an example based on your code for a prepared statement. To access that you need to fetch your date (you can do it inside a while loop) like:

while ($row = $result->fetch_assoc()) {
        // do things
    }

you can read more about mysqli fetching here

pr1nc3
  • 8,108
  • 3
  • 23
  • 36
0

You are missing a quote here:

$sql = "SELECT * FROM company WHERE id = '$company_id;";

add the quote:

$sql = "SELECT * FROM company WHERE id = '$company_id'";

Without the quote your query is invalid and mysqli_query will return false on failure:

Returns FALSE on failure. For successful SELECT, SHOW, DESCRIBE or EXPLAIN queries mysqli_query() will return a mysqli_result object. For other successful queries mysqli_query() will return TRUE.

http://php.net/manual/en/mysqli.query.php

Since it returns false, your while will get false as the condition and your while block will never be executed.

Also, your site is hackable if you do not make sure the parameters you are using are properly escaped. Using mysqli_* you will need to take a look into mysqli_real_escape_string.

EDIT

While my suggestion is enabling you to quickly solve your problem, you will really need to work with parameterized queries, as David has pointed out in the comment section. He has given this useful link: How can I prevent SQL injection in PHP?

Lajos Arpad
  • 64,414
  • 37
  • 100
  • 175
  • 2
    Escaping strings doesn't always prevent SQL injection attacks either. Better to start here: https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php The solution isn't to try to sanitize user-editable values before executing them as code, the solution is to not execute them as code in the first place. – David Aug 03 '18 at 14:26
  • @David I agree with you. I have shown the asker how he/she can make his/her code safer, but PDO is undoubtedly a much better option. I can edit my answer to clarify this, but I wanted to keep things simple, as the asker is obviously a beginner. – Lajos Arpad Aug 03 '18 at 14:37
  • All the more reason to instill better habits in the asker now instead of showing SQL-injectible code in an answer :) Also, PDO isn't necessary or really relevant. The code is already using mysqli, which is perfectly capable. – David Aug 03 '18 at 14:38
  • Hi Lajos, thanks so much for pointing out my mistake. I'm aware that this site is hackable so I'll work on this problem later. However, adding the quote still doesn't change anything. – amateur_coder Aug 04 '18 at 01:48
  • @amateur_coder if you take a look at the server error logs, what do you see? – Lajos Arpad Aug 04 '18 at 06:49
  • @LajosArpad the server error logs don't seem to display anything. – amateur_coder Aug 05 '18 at 10:25
  • Presumably because your server is not logging errors. – Lajos Arpad Aug 05 '18 at 10:27
  • @LajosArpad I have a long line of errors and do not know which to identify. I'm assuming all. – amateur_coder Aug 05 '18 at 13:05
  • PHP Warning: file_get_contents(http://www.mamp.info/feed/mac/MAMP/English/feed/home.json): failed to open stream: operation failed in /Applications/MAMP/bin/mamp/feed/fetchFeed.php on line 20 PHP Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in /Applications/MAMP/htdocs/Birdly Project/details.php on line 48 – amateur_coder Aug 05 '18 at 13:06
  • PHP Warning: file_get_contents(): SSL: Handshake timed out in /Applications/MAMP/bin/mamp/feed/fetchFeed.php on line 20 PHP Warning: file_get_contents(): Failed to enable crypto in /Applications/MAMP/bin/mamp/feed/fetchFeed.php on line 20 PHP Warning: file_get_contents(http://www.mamp.info/feed/mac/MAMP/English/feed/home.json): failed to open stream: operation failed in /Applications/MAMP/bin/mamp/feed/fetchFeed.php on line 20 – amateur_coder Aug 05 '18 at 13:06
  • @amateur_coder if you try to run a similar query in the database, do you get the same error? – Lajos Arpad Aug 06 '18 at 10:06
0

first check that in your tag you have mentioned method="GET". And use the below changes in $sql query. 

   

 <?php
    if( isset($_GET['comp_id']) ) {
 $company_id = $_GET['comp_id'];     
 $sql = "SELECT * FROM company WHERE id = '".$company_id."'";
 $result = mysqli_query($conn,$sql);
 
 while ( $row = mysqli_fetch_array($result) ){
  $comp_image = $row['image'];
  $comp_name = $row['name'];
  $comp_location= $row['location'];
  $comp_position = $row['position'];
  $comp_duration = $row['duration'];
  $comp_description = $row['description'];
  $comp_applink= $row['form'];
  
  echo "<h1>Hello</h1>";
 }
    }
?>

I hope this helps, check and let me know.

Suriya Prakash.M
  • 88
  • 11