0

I want to output the data and also the buttons in my php codes. But i do not know why the buttons does not output as coded. Can anyone let me know where did my codes go wrong? I've been searching it but i cant't find the problem. Thanks in advance.

<?php
if(isset($_POST['invoice_details'])) {
     $discountsql = "INSERT INTO `invoice_price` (`order_id`) VALUES ('.$order_id.') ";
     $conn->query($discountsql);
}
$sql2 = " SELECT order_id FROM ordered_items GROUP BY order_id WHERE order_id = '".$row[order_id]."'  ";
$query2 = $conn -> query($sql2);
while ($row2 = $query2 -> fetch_assoc()) {
?> 
    <div class="col-12 form-group">
        <p> <?php echo $row2['order_id']; ?></p>
        <p class="text-success" pointer-events="none" style="font-weight: bold; font-size: 25px; text-align:center;">Your order is confirmed !</p>
        <a href="order-list.php">
          <input class="btn btn-block checkoutbtn" type="button" name="invoice_details"  value="Go to Order Page">
        </a>
    </div>
<?php
}
?>
Raptor
  • 53,206
  • 45
  • 230
  • 366
shining
  • 27
  • 1
  • 6
  • 3
    Your code is vulnerable, You should use prepare() and validation or sanitization. – Ajmal PraveeN Jun 24 '21 at 03:15
  • @AjmalPraveen yes I'm aware of that, but can i know what is the problem that causes my buttons and output not being displayed? – shining Jun 24 '21 at 03:18
  • Okay sure, You may check $row2 is returning array values, which you are looking for because your code says, if there is $row2 value display the button. so you may confirm by print_r($row2); whether it is returning the array values. – Ajmal PraveeN Jun 24 '21 at 03:22
  • The query you are creating in `$sql2` is including the value from `$row['order_id']`, but I don't see here where that is initialised. – Tangentially Perpendicular Jun 24 '21 at 03:25
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Jun 24 '21 at 10:15
  • You got a typo: `$row[$order_id]` instead of `$row[order_id]`. Of coz, you shouldn't query like this. Always sanitize before using the variable in the SQL. – Raptor Jun 25 '21 at 02:57

0 Answers0