0

Hi anyone can help me create a js or any way to make this possible I already have working Pop up form, and a table with query and database, and also The POP UP form is already appearing when I click it. the problem is the result is always empty. here is my code

The table

 <tr> 
        <td ><a  onclick="openForm()">'. $row["ID"] .'</a></td> 
        <td>'. $row["RVID"] .'</td> 
        <td>'. $row["RVDate"] .'</td>  
        <td>'. $row["Name"] .'</td> 
</tr>

This is the Popup form, it only appear when click the id in the table and its already working but empty

<div class="form-popup" id="popupForm">
<form class="formContainer">
    <h1>Info</h1>

    <label><b>Name</b></label>
    <input type="text" name="rvname" value="<?php echo $row['Name']; ?>">

    <label><b>ContactNumber</b></label>
     <input type="text" name="contactnumber" value="<?php echo $row['ID']; ?>">
    
    <button type="button" class="btn cancel" onclick="closeForm()">Close</button>
</form>
</div>

This is the script for opening and closing the popup box

 function openForm() {  
       
 document.getElementById("popupForm").style.display = "block";
        
      }
 function closeForm() {
 document.getElementById("popupForm").style.display = "none";
      }

This is the sql,

<?php include 'C:\\Users\\Ace\\Sites\\db.php';
$result =$pdo->query("SELECT * FROM tblrv  WHERE ID='" . $_GET['id'] . "'");
$row = $result->fetch(PDO::FETCH_BOTH);

with the help the $_GET['id'] if my address has example like this www.test.cc/records/?id=3891 then when Opening the POP UP Form the input box will show the name and number for the id 3891(that was i want). so maybe anyone can help me if I open the popup form, the $_GET will use? I also tried href and onclick like this <td ><a onclick="openForm()">'. $row["ID"] .'</a></td>, but the page will refresh and the popup box will close so its not working

I hope someone have extra time to give me the best script

newbie
  • 7
  • 1
  • 1
    **Warning:** Your code is vulnerable to SQL Injection attacks. You should use parameterised queries and prepared statements to help prevent attackers from compromising your database by using malicious input values. http://bobby-tables.com gives an explanation of the risks, as well as some examples of how to write your queries safely using PHP / mysqli. **Never** insert unsanitised data directly into your SQL. The way your code is written now, someone could easily steal, incorrectly change, or even delete your data. – ADyson Oct 06 '22 at 14:24
  • https://phpdelusions.net/mysqli also contains good examples of writing safe SQL using mysqli. See also the [mysqli documentation](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) and this: [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) . Parameterising your queries will also greatly reduce the risk of accidental syntax errors as a result of un-escaped or incorrectly quoted input values. If you learnt your current technique from a tutorial or book, please don't use it again. – ADyson Oct 06 '22 at 14:24
  • i though using pdo it make it safe to sql injection – newbie Oct 06 '22 at 14:32
  • No. Using prepared statements and parameters makes it safe. PDO is just one of many database code libraries. You can write safe and unsafe SQL in any of them. PDO isn't magical. You're including user-generated data directly into your SQL string. By the time PDO gets hold of it, it's already too late, the damage is potentially done. That string just gets passed directly to the database as it is. Whereas if you use parameters, the process of incorporating the user data safely into the query is carefully controlled by PDO and the database engine. – ADyson Oct 06 '22 at 14:33
  • The `$pdo->query` function is fine to use when you have a query which doesn't involve any variables. ie. it's just hard-coded. For everything else, use prepared statements with parameters. – ADyson Oct 06 '22 at 14:36
  • Hi can you check if this is safe enough? ` $result = $pdo->prepare('SELECT * FROM tblpv WHERE ID= :getid'); $result->execute([ 'getid' => $_GET['id'] ]); $row = $result->fetch(PDO::FETCH_BOTH); ` – newbie Oct 06 '22 at 14:38
  • Anyway, `onclick="openForm()"` should be `onclick="openForm('')"` and the function should be `function openForm(id) {`, then you pass the clicked ID into it. Then, in the openForm function, have an AJAX request which sends the ID to your PHP script. The PHP script should then return the relevant data. Your Javascript code can then receive that data, and put it into the right place(s) in the popup. – ADyson Oct 06 '22 at 14:40
  • `can you check if this is safe enough`...yes that's much better. – ADyson Oct 06 '22 at 14:40
  • thank you so much, im gonna try what you said and find something on how to do it. thank for the warning in sql injection too that really help me for future problem – newbie Oct 06 '22 at 14:43

1 Answers1

0

I tried this way but im still missing something

for the link i added the ID

<td ><a onclick="openForm(' . $row["ID"] . ')">'. $row["ID"] .'</a></td>

then for the ajax this is what i found and try to use it.

<script>
       function openForm(rvid) {    
        var rvid = rvid;
       $.ajax({  
             url:"#",  
             method:"POST",  
             data:{rvid:rvid},  
             success:function(data)  
             {  
document.getElementById("popupForm").style.display = "block";
document.getElementById("rvid").value = rvid;
                          }  
                     });
       
      
      }
function closeForm() {
document.getElementById("popupForm").style.display = "none";
      }     
</script>

the result is, when opening the form, I really get the rvid to my input box, now what i need is how to put it on a query? because I want other information too not only the ID

here is my query

$result = $pdo->prepare('SELECT * FROM tblrv  WHERE ID= :getid');
    $result->execute([ 'getid' => What should i put here) ]);
    $row = $result->fetch(PDO::FETCH_BOTH);

here is part of my popup form where the value of id is = rvid

<label><b>ID</b></label>
<input type="text" name="rvid">
newbie
  • 7
  • 1