-2

I currently have a search screen to display results. A user can click on a link in that search screen to open a new window and view additional information. Currently i'm able to display the additional information as a table however I want to display the data in text boxes.

Currently my code to display the data ins a table is as follows: Code to get the id of the row that the user has clicked on

$id = $_GET['id'];
$sql = "SELECT user_id, name, age, address
FROM details
WHERE user_id= '".id."'";
$query = mysqli_query($connection, $sql);
$_SESSION['user_id'] = $id;?>

Code to display the data as a table:

<tr>
<th>name</th>
<th>age</th>
<th>address</th>
</tr>
<tbody>
<?php while ($row = mysqli_fetch_array($query)){ ?>
<tr>
<td><?php echo $row['name'] ?></td>
<td><?php echo $row['age'] ?></td>
<td><?php echo $row['address'] ?></td>
</tr>
</tbody>

I want to display the data in text boxes and its not as easy as I thought. I thought I could just changethe row to a text box as below.

<label for="name">Full Name:</label>
<input id="name" style="width: 150px; type="text" value="<?php echo $row['name']; ?>

Any pointers would be greatly appreciated.

FastRider
  • 9
  • 2
  • **Warning:** You are wide open to [SQL Injections](https://stackoverflow.com/a/60496/1839439) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Aug 17 '20 at 12:50
  • What doesn't work? Your ` – Dharman Aug 17 '20 at 12:51
  • _"I thought I could just changethe row to a text box as below."_ ...ok, and what exactly went wrong when you tried? You forgot to explain the problem. I can see that you missed the ending off your `input` though - try ``. If that's all it is, it seems like a simple typo. Or is there another problem you want to tell us about? Please clarify. – ADyson Aug 17 '20 at 12:53

1 Answers1

1

As another has said you are open to abuse here but because anyone can type anything into the address bar as a get variable. Try this instead.

<?php
// First check you have the get, then if so retrieve it and run this till the end
if ($_GET) {

// Sanitize the get data
$id = mysqli_real_escape_string($connection, $_GET['id']);
$id = strip_tags($id);
$id = trim($id);
$id = urldecode($id);
$id = htmlspecialchars($id);

// Select the get data from your table
$select = mysqli_query($connection, "select user_id,name,age,address from details where user_id='$id'");

// Check if at least one record actually exists
if (mysqli_num_rows($select)>0) {

// Retrieve an array from your select, this will get all records for that ID so you may want to close the while loop before echoing the results in HTML if you have multiple records...
while ($row=mysqli_fetch_array($select)) {
$real_id = $row['user_id'];
$name = $row['name'];
$age = $row['age'];
$address = $row['address'];

// Display the results in HTML
echo "
<label for='id'>ID</label>
<input type='text' id='id' value='$real_id'>
<label for='name'>Name</label>
<input type='text' id='name' value='$name'>
<label for='age'>Age</label>
<input type='text' id='age' value='$age'>
<label for='address'>Address</label>
<input type='text' id='address' value='$address'>
";

}

}
}
mysqli_close($connection);
?>

Conclusions: if there is no GET data or if the GET data doesn't correspond to anything in your table nothing will happen.

SJacks
  • 408
  • 3
  • 19
  • 1
    Many thanks for clearly laying out where I was going wrong and for addressing my vulnerability (And for taking your time to type out the code). I can see from your demo code how the data flows, is retrieved and displayed. – FastRider Aug 18 '20 at 06:54