0

I'm trying to show all the platforms in the "area" and "block_number" which is passed to my page in the url. However when I run the page with the "area" and "block_number" in the url I am not getting any rows. I only get the else statement Sorry No Results. Can someone please show me what I'm doing wrong?

<?
 
//// Get items from url
$area1 = $_GET[area];
$block_number1 = $_GET[block_number];


$servername = "localhost";
$username = "";
$password = "";
$dbname = "";


// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
  die("Connection failed: " . $conn->connect_error);
}

$sql = 'SELECT * from platform_locations where area = $area1 and block_number = $block_number1';
$result = $conn->query($sql);


if ($result->num_rows > 0) {
  // output data of each row
  while($row = $result->fetch_assoc())
  
   {           

        echo '<div class="col-lg-4 col-md-4 col-sm-6 wow bounceInUp" data-wow-duration="1s" data-wow-delay="0.4s">
              <div class="feature-1 box-shadow">
              <img src="img/platform_icon.png" alt="">
              <h3 class="feature__title">'. $row['area'] .' '. $row['block_number'] .'</h3>
              <p class="feature__text">
              Structure Name: '. $row['structure_name'] .'<br>
              Attended: '. $row['attended'] .'<br>
              <a href="Structure_info.php?p_id='. $row['p_id'] .'" target="_self" class="btn btn-sm btn-red">More Information</a>
              <br>
              <font color="Tomato">'. $row['remove_date'] .'</p>
              </div></div>';
        
}
}
else{
    echo '<br>Sorry No Results';
}

?>
Justin Petty
  • 283
  • 4
  • 21
  • Your script is vulnerable to [SQL Injection Attack](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even if [you are escaping variables, its not safe](https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string%5D)! You should always use [prepared statements and parameterized queries](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either MYSQLI or PDO instead of concatenating variables into the query. – Barmar Jan 12 '23 at 22:21
  • `$_GET[area]` should be `$_GET['area`]` – Barmar Jan 12 '23 at 22:22
  • 1
    Try doing `echo $sql` to see if the query has what you expect. Then try running the query by hand in the mysql CLI or phpMyAdmin. – Barmar Jan 12 '23 at 22:23
  • 1
    You can put variables into a string, but you should use double quotes for this, not single ones. Like `$sql = "SELECT * from platform_locations where area = $_GET[area] and block_number = $_GET[block_number1]"` as an example, of course you should clear the inputs before sending it to the database. – Lothric Jan 13 '23 at 02:05

1 Answers1

0

There was a space in between the equals symbol and $area1 that was making it return 0 rows. I do believe that the other comments were also correct and I will be researching ways to make my code more secure as @Barmar suggested.

area = $area1 I changed area =$area1 and it started working as expected.

Justin Petty
  • 283
  • 4
  • 21