PHP SQL Database Information not displaying

Question

I have been trying to display some test information from the database, but I've tried to get the information to echo. Currently the echo and the if statement is working as intended, but the variables from the database are not displaying.

This is the navbar linking code, linking with pgname and displaying title

        <?php foreach($recordStorage as $pageinfo): ?>
        <a href="index.php?page='<?php echo $pageinfo['pgname']; ?>'" class="nav-link"><?php echo $pageinfo['title']; ?></a>
        <?php endforeach; ?>

This is the index display code (I removed the majority of variables to keep the code short)

 <?php 
        if(isset($_GET['page']))
        {
        $pgname = trim($_Get['page'], "'");
        
        $recordStorage = $connection->query("select * from scp_pages where pgname='$pgname'") or die($connection->error());

        //Creates into array for display
        $display = $recordStorage->fetch_assoc();

        $title = $display['title'];
        $class = $display['class'];   

        echo "
        
        <h1>{$title}</h1>
        <h2> Object Class {$class}</h2>
 

        }
        else
        {
            echo "
            <h1>Welcome to this website</h1>
        }
        ?>

and finally this is the database display, from what I saw, everything was running decently

<?php

    $user = "database_testuser";
    $password = "1234567890";
    $database = "database_name";

    $connection = new mysqli('localhost', $user, $password, $database) or die(mysqli_error($connection));

    $recordStorage = $connection->query("select * from scp_pages") or die($connection->error());

?>

By the way, consider using PDO to build the query, to avoid sql injection. — francisco neto, Oct 06 '20 at 09:52
**Warning:** You are wide open to [SQL Injections](https://stackoverflow.com/a/60496/1839439) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) — Dharman, Oct 06 '20 at 10:44
It is a very bad idea to use `die(mysqli_error($conn));` in your code, because it could potentially leak sensitive information. See this post for more explanation: [mysqli or die, does it have to die?](https://stackoverflow.com/a/15320411/1839439) — Dharman, Oct 06 '20 at 10:44
Neither `or die(mysqli_error($connection))` nor `or die($connection->error())` is correct. You need to remove both of them. — Dharman, Oct 06 '20 at 10:45
Thanks everyone for telling me about SQL_Injections and further issues with my code, I will get to fixing it immediately. — Console.Writeline, Oct 06 '20 at 12:48

score 0 · Accepted Answer · answered Oct 06 '20 at 09:51

0

The error is probably in the following statement:

$pgname = trim($_Get['page'], "'");

Instead of $_Get, the expected syntax is in uppercase: $_GET

After changing this, dump the $pgname var to see if it has the expected value.

answered Oct 06 '20 at 09:51

francisco neto

797
1
5
13

PHP SQL Database Information not displaying

1 Answers1