-1

I have a problem. I want to display the data from database in the existing textbox but unfortunately, it does not display the result. My if else loop is not working. I don't want to display the textbox only if the button is click. I want the result display inside the existing textbox after the search button click.

here is my code html code:

<div class="row">
   <div class="column middle2" style="background-color:transparent">
      <div class="container"><br><br>
                                    
        <div class="row">
          <div class="col-01">
            <label for="icno"><b>IC No :</b></label>
          </div>
                                        
          <div class="col-02">
          <form action="" method = "POST">
          <div class="input-group">
          <input type="text" name="icpayer" value = "<?php if(isset($_POST['icpayer'])){echo $_POST['icpayer'];} ?>" class="form-control bg-light border-0 small" >
          <div class="input-group-append">
            <button type="button" id = "searchValue" class="btn btn-primary">
              <i class="fas fa-search fa-sm"></i>
            </button>
          </div>
         </div>
      </form> 
     </div>
    </div>
                                    
    <div class="row">
      <div class="col-01">
        <label for="name"><b>Payer Name :</b></label>
      </div> 
      <div class="col-02">
        <input type="text" id="payername" name="payername" >                  
      </div>
    </div>
  </div>
 </div>
</div>

here is my javascript code:

      $('#searchValue').on('click', function(){
    $.ajax({
        type    : "POST",
        url     : 'searchIcPatient.php', 
        success : function(data)
        {
          $('#payername').val(data);
        },
    });
  });

here is my php code:

 <?php

 if(isset($_POST['icpayer'])){
   $searchValue = $_POST['icpayer'];                                   
   $query="SELECT * FROM ptregistration WHERE patientic = '$searchValue'";
   $result = mysqli_query($con, $query) or die(mysqli_error($con,$query));

   while($row = mysqli_fetch_array($result)){
     echo $row['patientname'];
   }
  }else{
     echo "No Record Found";
   } ?>

my problem is when I click the search button, the result display "No Record Found" even there is similar data in the database. please help me as I am a beginner.

Hidayah Rosli
  • 1
  • 2
  • your Ajax POST request is not sending any data - so `$_POST['icpayer']` will not exist – Professor Abronsius Aug 19 '21 at 07:18
  • how to fix it, sir? – Hidayah Rosli Aug 19 '21 at 07:22
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Aug 19 '21 at 18:40

1 Answers1

0

You should modify the ajax request to send the icpayer parameter. I do not use jQuery so I'm sure a better jQuery method exists but you can do so like this:

$('#searchValue').on('click', function(){
    $.ajax({
        type    : "POST",
        data:{
            icpayer:document.querySelector('input[name="icpayer"]').value
        },
        url     : 'searchIcPatient.php', 
        success : function(data)
        {
          $('#payername').val(data);
        },
    });
});

The PHP was exposing your database to SQL injection (potentially) so you should use Prepared Statements

<?php

    if( $_SERVER['REQUEST_METHOD']=='POST' && isset( $_POST['icpayer'] ) ){
        
        include($_SERVER['DOCUMENT_ROOT'].'/mhcsys/include/config.php');
        
        $icpayer=filter_input( INPUT_POST, 'icpayer', FILTER_SANITIZE_STRING );
        
        $sql='select `patientname` from `ptregistration` where `patientic`=?';
        $stmt=$con->prepare($sql);
        $stmt->bind_param('s',$icpayer);
        $stmt->execute();
        $stmt->store_result();
        $rows=$stmt->num_rows();
        if( $rows > 0 ){                
            $stmt->bind_result( $patientname );
            while( $stmt->fetch() )echo $patientname;

        }else{
            echo 'No Record Found';
        }
    }
?>
Dharman
  • 30,962
  • 25
  • 85
  • 135
Professor Abronsius
  • 33,063
  • 5
  • 32
  • 46
  • `FILTER_SANITIZE_STRING` is deprecated. Please stop using this filter. – Dharman Aug 19 '21 at 18:40
  • @Dharman - since when is `FILTER_SANITIZE_STRING` deprecated? As for the 2nd point I simply put that in the wrong place - that's the trouble without being able to run the code – Professor Abronsius Aug 19 '21 at 20:04
  • Since PHP 8.1 https://wiki.php.net/rfc/deprecations_php_8_1 – Dharman Aug 19 '21 at 20:05
  • ok - thanks for the info. Happily using php 7 and the percentages for PHP8+ usage is still pretty low... but noted, something to be aware of in the future when code breaks. Thankyou – Professor Abronsius Aug 19 '21 at 20:09
  • fair enough...it's late, I'm tired and unable to test the above. Please feel free to make necessary amendments in a constructive, positive manner. Does that involve something like `$stmt->store_result();` anywhere? – Professor Abronsius Aug 19 '21 at 20:28
  • Erm - you added the `$stmt->store_result();` having suggested that was "the easy change, but also completely unnecessary" and then made no further changes as you suggested. Replacing the `if($rows > 0)` with `if($patientname)` will not work and I notice that comments regarding `$rows` being ZERO have been removed however according to a little test I just ran that simply is not so. – Professor Abronsius Aug 20 '21 at 07:57
  • I removed the comments as they have been addressed by adding `store_result`. The code now will work, but it could be simplified. However, as I noticed you are not fetching a single value, so I didn't change anything else. The way it is now is ok. I remove comments that are addressed by an edit – Dharman Aug 20 '21 at 09:47