Use sql query with jquery variable

Question

So I am trying to do an history for my site but when i do the query select with the jquery variable it doesn't work. HERE is the table that shows the values from db and here is the pop up box that opens to show details but I want to show the values from each row that I click

Here is the jquery code:

var idocorrencia;
$(document).on("click","#listagem tr td a", function(e){
e.preventDefault();
idocorrencia = $(this).parent().attr("idlista");
$("#listagem caption").text($(this).text());
console.log(idocorrencia);
alert(idocorrencia);
$.post( "historico.php", { idoc: idocorrencia })

   $.ajax({
   method:"POST",
   url:"historico.php",
   data:{idoc : "idlista"},
   dataType: 'json',
       });
   });

Here is the php:

$id = $_POST['idoc'];
$result = mysqli_query($conn, "SELECT id FROM ocorrencia where id=$id");
$row = mysqli_fetch_assoc($result);
$idoc = isset($_POST['idoc']) ? $_POST['idoc'] : $row['id'];

What is the code supposed to do? Your PHP code doesn't actually return any response, nor does your Ajax do anything with a response should it receive one. Nor does the PHP code appear to update the database (just selects) - so in short, this code will never "do" anything. And I don't know what you want it to do either. — Robin Zigmond, Apr 15 '19 at 15:26
_In what way_ does it not work? What debugging have you already done? Does the ajax request fire? If so, have you checked your browser's network tab to verify that the expected values were posted? Have you confirmed the value of `$id` in your PHP? — Patrick Q, Apr 15 '19 at 15:26
You really should be escaping that value before putting it in your query. You are leaving yourself wide open to SQL injection attacks. — derek.wolfe, Apr 15 '19 at 15:28
The logic of the sql query missing according to your php code: if `$_POST['idoc']` is set it will return `$idoc` will be assigned to it, if `$_POST['idoc']` is not set your sql query will not return anything...and `$idoc` will not be assigned to anything — Zeusarm, Apr 15 '19 at 15:31
what I want to do is an history and I have a table and when I click on a row it will show the values of the database but I want to separate them by clicking on each row thats why I am doing that select — Mir, Apr 15 '19 at 15:40
The thing is that the row `$idoc = isset($_POST['idoc']) ? $_POST['idoc'] : $row['id']; ` either will return your `$_POST['idoc']` or nothing (even maybe an error) — Zeusarm, Apr 15 '19 at 15:52
is returning an error "mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, bool given in ..." — Mir, Apr 15 '19 at 15:54
Possible duplicate of [warning problem: expects parameter 1 to be mysqli\_result](https://stackoverflow.com/questions/2077263/warning-problem-expects-parameter-1-to-be-mysqli-result) — Patrick Q, Apr 15 '19 at 15:56
@Mir Do you know what `data:{idoc : "idlista"}` actually does? — Patrick Q, Apr 15 '19 at 16:06
**Warning:** You are wide open to [SQL Injections](http://php.net/manual/en/security.database.sql-injection.php) and should really use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](http://php.net/manual/en/pdo.prepared-statements.php) or by [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Never trust any kind of input, especially that which comes from the client side. Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). — Dharman, Apr 15 '19 at 18:37

Zeusarm · Answer 1 · 2019-04-15T19:06:23.433

Try to do it like this:

if (isset($_POST['idoc'])) {
    $id = $_POST['idoc'];
    $result = mysqli_query($conn, "SELECT id FROM ocorrencia where id='" . mysqli_real_escape_string($conn, $id) . "'");
    if($result!==false && mysqli_num_rows($result)>0){
        $row = mysqli_fetch_assoc($result);
        $idoc = $row['id'];
    }
}

UPDATE

and here is the same script with prepared statements:

if (isset($_POST['idoc'])) {
    $statement = mysqli_prepare($conn, "SELECT id FROM ocorrencia where id=?");
    mysqli_stmt_bind_param($statement, 's', $id);
    $id = $_POST['idoc'];
    mysqli_stmt_execute($statement);
    $result = mysqli_stmt_get_result($statement);
    if ($result !== false && mysqli_num_rows($result) > 0) {
        $row = mysqli_fetch_assoc($result);
        $idoc = $row['id'];
    }
}

Here I have used procedural style, as the original script was like that. But it can be easily rewritten in object oriented style.

Could you please rewrite your code with prepared statements? Let's not teach others to use `mysqli_real_escape_string` — Dharman, Apr 15 '19 at 18:38

Use sql query with jquery variable

1 Answers1