-3

I have an input form where, when typing in a certain company's name (onkeyup), a color value is taken from an SQL database.

HTML:

<form id="changeForm" action="includes/tri-inc.php" method="post" style="width: 205px;">
<input id="hiddenId" type="hidden" name="verseid" value="23">
<input id="hiddenArea" type="hidden" name="hiddenArea" value="detail">
<input name="kategorie" type="text" placeholder="Kategorie" value="GA/MSRL"><br>
<input name="firma" onkeyup="showColor(this.value)" type="text" placeholder="Firmenname" value=""><br>
<input id="color" name="color" type="color" value="#FF22FF"><br>
<input name="person" type="text" placeholder="Kontaktperson" value=""><br>
<input name="adresse" type="text" placeholder="Adresse" value=""><br>
<input name="email" type="text" placeholder="Email-Adresse" value=""><br>
<input name="telefon" type="text" placeholder="Telefonnummer" value=""><br>
<input type="submit" name="submit">
</form>

javascript:

    function showColor(str) {
    if (str.length == 0) {
        document.getElementById('color').value = "#808080";
        return;
    } else {
        const xmlhttp = new XMLHttpRequest();
        xmlhttp.onload = function() {
            document.getElementById("color").value = this.responseText;
        }
    xmlhttp.open("GET", "includes/getColor.php?c=" + encodeURIComponent(str));
    xmlhttp.send();
    }
}

PHP:

<?php
    $c =$_REQUEST["c"];
    require 'database.php';

    if ($c !== "") {
        $sql = "SELECT color FROM dreiecke WHERE firma = '" .urldecode($c). "'";
        $stmt = mysqli_stmt_init($conn);
        mysqli_stmt_execute($stmt);
        $result = mysqli_stmt_get_result($stmt);
        $result = $result[0];
        echo $result === null ? "#ff22ff" : $result;
    } else {
        echo "#ff22ff";
    }
?>

The command doesn't fire properly and returns the default #000000 to the value of the color input field.

The console reads: "mysqli_stmt_execute(): Property access is not allowed"

Where am I going wrong?

Lukas
  • 11
  • 5
  • 3
    **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Aug 23 '21 at 13:26
  • 1
    Which PHP version are you using? – Dharman Aug 23 '21 at 13:27
  • 3
    The problem is simple. You forgot to prepare the prepared statements. You have defined SQL string, but you never call `prepare` – Dharman Aug 23 '21 at 13:28
  • I'm using PHP Version 7.3.28 – Lukas Aug 25 '21 at 07:24

1 Answers1

0

Thanks to the comments by Dharman I managed to figure it out:

<?php
    $c =$_REQUEST["c"];
    require 'database.php';
    $defaultColor = "@808080";

    if ($c !== "") {
        $c = urldecode($c);
        $stmt = $conn->prepare("SELECT color FROM dreiecke WHERE firma=?");

        $stmt->bind_param("s", $c);

        $stmt->execute();

        $stmt->bind_result($result);
        $stmt->fetch();

        $result = substr($result, 0, 7);
        if ($result != null) {
            echo $result == null ? "#ffffff" : $result;
        } 
        return;
    } 
    echo $defaultColor;
?>
Lukas
  • 11
  • 5