Not able to echo variables

Question

Why am I not able to echo those things like adm_no, adm_dt, etc.?

require_once("lib/connection.php");
$adm_no = $_POST['adm_no'];
if (!$adm_no == "intval") echo "You Entered wrong Admission no Recheack Admission no";
exit();
$clas = $_POST['clas'];
$query = "SELECT * FROM $clas WHERE adm_no = $adm_no";
$result = mysql_query($query);
//searchs the query in db.
while ($result1 = mysql_fetch_array($result)) {
    $adm_no = $result1['adm_no'];
    $adm_dt = $result1['adm_dt'];
    $name = $result1['name'];
    $dob = $result1['dob'];
    $f_name = $result1['f_name'];
    $f_office = $result1['f_office'];
    $f_o_no = $result1['f_o_no'];
    $m_name = $result1['m_name'];
    $m_office = $result1['m_office'];
    $addr = $result1['addr'];
};


echo "Admission no = ";
$adm_no;
echo " <p>Admission Date  </p>";
echo "   <p>Name  </p>";
echo "  <p>Class </p>";
echo "  <p>D.O.B    </p>";
echo "  <p>Father s name    </p>";
echo "  <p>Office address    </p>";
echo "  <p>Office No   </p>";
echo "  <p>Mother s name   </p>";
echo "  <p>Office Address     </p>";
echo "  <p>Address      </p>";
echo "  <p>Phone no   </p>";

This needs basic debugging, not the help of a Q&A site. Does the query work out? What does `mysql_error()` say? Do the POST variables get submitted? What error messages do you get? Does the result contain anything? Is the `while` loop executed? — Pekka, May 19 '11 at 11:48
Please don't add `MANY CAPITALS` in your question's titles and especially **don't** use phrases like “it's urgent!”: that will not make us answer your questions sooner, it's merely annoying. — Marcel Korpel, May 19 '11 at 11:49
**Warning:** possible SQL injection with `$clas` (and possibly with `$adm_no`): always properly escape user input or, better, use parametrized queries! And (thanks to David Dorward below) you should use `htmlspecialchars` when outputting HTML to prevent XSS. — Marcel Korpel, May 19 '11 at 11:51
@Ravi: Look at @Shakti 's answer the problem is using `exit` as a second statement without the `{ }` — Daric, May 19 '11 at 11:59
-1 For SQL-injection hole in the code, you have been informed about this issue before in your prior question, that has since been deleted. See my answer below on how to fix this and please don't post SQL-injectable code on SO. Many people will downvote you for that. — Johan, May 19 '11 at 12:39

score 4 · Answer 1 · answered May 19 '11 at 11:48

4

You have a syntax error

echo "Admission no = " ;$adm_no ;

Should be

echo "Admission no = " ; 
echo $adm_no ;

or

echo "Admission no = " . $adm_no ;

answered May 19 '11 at 11:48

fin1te

4,289
1
19
16

score 4 · Answer 2 · answered May 19 '11 at 11:48

Well, the following does print a string and then does nothing with the variable:

echo "Admission no = " ;$adm_no ;

You where probably going for:

echo "Admission no = " . $adm_no;

Apart from that, are you aware that the print logic is only evaluated once after the while loop has iterated all the results (if more than one). That is, the variables will hold the values of the last record only.

score 4 · Answer 3 · answered May 19 '11 at 11:55

Here is the problem your exit(); is executing every time even if the input $adm_no is okay.

Change this

if (!$adm_no=="intval") 
      echo "You Entered wrong Admission no Recheack Admission no" ;
      exit();

to

if (!$adm_no=="intval") 
{
      echo "You Entered wrong Admission no Recheack Admission no" ;
      exit(); 
}

score 3 · Answer 4 · edited May 23 '17 at 10:32

As I told you in the previous (deleted) question, you have an SQL-injection hole.
Here's how to fix it.

Change this code:

enter image description here Coding horror

$adm_no = $_POST['adm_no']; 
if (!$adm_no == "intval") 
  echo "You Entered wrong Admission no Recheack Admission no"; 
exit(); 
$clas = $_POST['clas']; 
$query = "SELECT * FROM $clas WHERE adm_no = $adm_no";

Into this code, which is not exposed to SQL-injection dangers

$adm_no = mysql_real_escape_string($_POST['adm_no']); 
if (!$adm_no == "intval") { 
  echo "You Entered wrong Admission no Recheack Admission no"; exit(); 
}
$allowed_tables = array('table1', 'table2'); 
$clas = $_POST['clas']; 
if (in_array($clas, $allowed_tables)) 
{     
  $query = "SELECT * FROM `$clas` WHERE adm_no = '$adm_no'";    
}

I know that the If will only accept integers, but the if in your previous question was commented out, therefor it comes and goes, so always escape your inputs before injecting them into your query!

Note how the if in your code does not work because you forgot to enclose the body after the then in brackets {}, causing the exit(); to always be executed.

For more info on SQL-injection see: How does the SQL injection from the "Bobby Tables" XKCD comic work?
And for info on why mysql-real-escape_string or PDO doesn't work with dynamic table names
see: How to prevent SQL injection with dynamic tablenames?
And: Sample code to fix this particular SQL-injection hole

XSS hole
To fix a possible XSS hole, don't do

enter image description here Coding horror

echo "Admission no = ".$adm_no;

But do this instead:

echo "Admission no = ".htmlspecialchars($adm_no);

In your case it seems that $adm_no can only hold an integer, but I don't have the table definition so I cannot be sure of that. It's best to be on the safe side and always escape dynamic output using htmlspecialchars.

See: What are the best practices for avoiding xss attacks in a PHP site

score 2 · Answer 5 · answered May 19 '11 at 11:48

2

Statement 1: echo "Admission no = " ;

Statement 2: $adm_no ;

You aren't echoing the variables.

You should probably have something like:

<p>Admission no = <?php echo htmlspecialchars($adm_no); ?></p>

answered May 19 '11 at 11:48

Quentin

914,110
126
1,211
1,335

score 1 · Answer 6 · answered May 19 '11 at 11:51

The way you assign the variables in the loop doesn't make any sense: if your SQL query returns more than 1 row, your code will simply replace the values. You probably want to echo the results inside the loop.
There is a syntax error here: echo "Admission no = " ;$adm_no ;.. it should be echo "Admission no = ".$adm_no;
When you are echoing the results, you are not actually echoing the variables: echo " <p>Admission Date: $adm_dt </p>";

score 0 · Answer 7 · answered May 19 '11 at 11:51

Because echo accepts parameters as comma-separated list, like

echo $one, "two"

Using comma is also possible, but better just use heredoc syntax which support variable substitution, if you need to output large chunk of text with newlines

echo <<<HEREDOC
Your text with $variables or {$variables} here
with newlines and other nifty plaintext formatting
HEREDOC;

Not able to echo variables

7 Answers7