passing parameter to PHP without a form

Question

I have a database that looks like this.

+------------+------+
| playername | team |
+------------+------+
| John       | 1    |
| Tim        | 2    |
| ...        | ...  |

On my page I get all the names of team 1 above and all the names of team 2 below. It reads out all player names and creates an HTML element for each player with an onclick event. When I click on an element I get the text of the element...

<?php include_once 'connection.php';?>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Dashboard</title>
    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.css">
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js"></script>
    <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.js"></script>
</head>
<body>
    <?php
        $sql = "SELECT * FROM teams WHERE team = 1;";
        $result = mysqli_query($conn, $sql);
        $resultCheck = mysqli_num_rows($result);

        if ($resultCheck > 0) {
            while ($row = mysqli_fetch_assoc($result)) {
                echo "<button href='#' onclick='clickfunction(this)'>".$row['playername']."</button>";
            }
        }
    ?>

    <?php
        $sql = "SELECT * FROM teams WHERE team = 2;";
        $result = mysqli_query($conn, $sql);
        $resultCheck = mysqli_num_rows($result);

        if ($resultCheck > 0) {
            while ($row = mysqli_fetch_assoc($result)) {
                echo "<button href='#' onclick='clickfunction(this)'>".$row['playername']."</button>";
            }
        }
    ?>

    <script>
        function clickfunc(obj) {
            var playername = $(obj).text();

            **// SOME CODE TO PASS playername TO change.php**
        }


    </script>

</body>
</html>

And I have a PHP file change.php which looks for the passed name in the database and then changes the team from 1 to 2 or the other way around. (the sql query works perfectly fine in the database)

<?php
  include_once 'connection.php';
  $playername = $_GET['playername'];

  $sql = "UPDATE teams SET team = IF(team = 1, 2, 1) WHERE playername = '$playername';";
  mysqli_query($conn, $sql);

  header("Location: index.php");
?>

The Question: Now I have the problem that I don't know how I can, when I click on an element and read out the text, send this text as a parameter to the chance.php file so that the PHP file can work with it.

For example: if I click on John, the text "John" is sent as a parameter to chance.php and processed there. The result would then be that John, if he was above, is now below. Or the other way around.

**Warning:** You are wide open to [SQL Injections](https://stackoverflow.com/a/60496/1839439) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) — Dharman, Aug 31 '20 at 10:27
Ok, thanks for the warning. I will definitely take this into consideration and change it. — Josip Jerkovic, Aug 31 '20 at 10:56

score 0 · Accepted Answer · answered Aug 31 '20 at 01:42

0

Because you are getting the value using $_GET, so just simply redirect the page to change.php using javascript window.location and put the parameter in the URL:

function clickfunc(obj) {
     var playername = $(obj).text();
     window.location = "change.php?playername=" + playername
}

answered Aug 31 '20 at 01:42

catcon

1,295
1
9
18

Do you have a simple solution with POST? – Josip Jerkovic Sep 01 '20 at 08:22

passing parameter to PHP without a form

1 Answers1