-3

When I enter category name manually, I'm able to get its product but when I insert a variable to like the code, I get success but data is empty.

Connection file:

<?php
//cnnection.php 
$server = "localhost";
$user = "root";
$password = "";
$db = "db_ecommerce_shoes";

$connect = new mysqli($server,$user,$password,$db);

Main script:

<?php
    include '../connection.php';

With this, request is successful but data is empty

    $name= 'name';
    $sql = "SELECT * FROM tb_shoes
            WHERE
            catName ='$name'        
            ";

With this, request is successful, data is loaded successful

    $sql = "SELECT * FROM tb_shoes
            WHERE
            catName ='Ladies Shoe'        
            ";
    
    $result = $connect->query($sql);
    
    if($result) {    
        $data = array();
        while($row = $result->fetch_assoc()) {
            $data[] = $row;
        }
        echo json_encode(array(
            "success"=>true,
            "data"=> $data,
        ));
    } else {
        echo json_encode(array(
            "success"=>false,
        ));
    }

Any other way of doing this will be much appreciated.

ADyson
  • 57,178
  • 14
  • 51
  • 63
Benkot
  • 265
  • 1
  • 2
  • 6
  • Maybe there are no rows in your tb_shoes table whose catName field equals `catName`. We don't know, we cannot see the data. – ADyson Jul 20 '21 at 20:47
  • 2
    There is NO error checking in your code - the DBMS is probably telling you why your query is not working but you are not listening. What do you mean by "When I enter category name manually"? Inserting a literal in the code you've shown us? If so you should have shown us that too. You haven't told us what is in "connection.php". – symcbean Jul 20 '21 at 20:54
  • @xstaticvoidx er no, that doesn't happen. It just passes the string verbatim. Your suggestion would simply cause the query to crash because then there'd be unquoted text in it. What OP should _really_ be doing of course when including variable data in a query is doing it safely using [prepared statements and parameters](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) to protect against SQL injection attacks and syntax errors caused by unescaped values. – ADyson Jul 20 '21 at 20:58
  • @symcbean.. I have added the connection.php content to the question.Thanks – Benkot Jul 20 '21 at 21:30
  • The equivalent of `$sql = "SELECT * FROM tb_shoes WHERE catName ='Ladies Shoe'";` using the variable would be `$name= 'Ladies Shoe'; $sql = "SELECT * FROM tb_shoes WHERE catName ='$name'";`. Did you test that? It's unclear why you swapped the value from "Ladies Shoe" to "name". It makes no sense to expect the same result if you use a different value for the category name. – ADyson Jul 20 '21 at 21:35
  • `Any other way of doing this will be much appreciated` ...see my link about regarding prepared statement and parameters for the proper, safe way to include variables into a SQL query from PHP. – ADyson Jul 20 '21 at 21:38

2 Answers2

1

Any other way of doing this will be much appreciated

You should never be directly concatenating variables into the SQL query making it vulnerable to SQL injections. That is a major security issue.

Read about a simple and easy to understand version of prepared statements here.

In your case, try this out

$category = "Ladies Shoe"
$statement = $connect->prepare("SELECT * FROM tb_shoes WHERE catName = ? ")
$statement ->bind_param("s", $category);
$statement ->execute();
$result = $statement ->get_result();

Then you can loop through the results as above. Check if it works!

Rifky Niyas
  • 1,737
  • 10
  • 25
0

Try to assign

$name = 'Ladies Shoe';
    $sql = "SELECT * FROM tb_shoes
            WHERE
            catName ='$name'        
            ";

Does this work?

Peneh
  • 195
  • 1
  • 10