-2

Backstory: I have a program that takes an input of an ISBN number, uses an API to find what book it is and return its title, ISBN 10 number and ISBN 13 number. These are then stored in a MySQL database.

I am now trying to implement a search function to my program, where the ISBN 10 and 13 values are used to search the database for a book.

The problem I am having is the query doesn't seem to be doing anything, even though it works fine when executed on the server.

I am using XAMPP to host my MySQL server and the webpage the user interacts with.

The Problems: After the user inputs an ISBN number (10 or 13) and a book is found and its details returned, the user is presented with these details and 3 buttons.

The first will add the books details to the database, then direct the user back to the main page. The button used to work fine, but now for some unknows reason it will only add to the database and not send the user back to the main page.

The second button is the one I'm having the most trouble with - the search button. When pressed it runs a script which includes some PHP code to run the actual query. Unfortunately the search query either isn't working or the script refuses to run all the way through (much like the issue with button 1).your text

The third button works fine, it redirects the user back to the main page so they can enter another ISBN number. There are no issues with this button.

The file with all these problems in it is shown below, I can provide the other files if needed.

index.php

<?php
    include("request.php");

    echo $title."<br>";
    echo $isbn10."<br>";
    echo $isbn13."<br>";
?>

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>mysql</title>
</head>
<body>

    <button id="addtodb" type="button" onclick="addnewbook()">add to db</button>

    <button id="searchdb" type="button" onclick="searchforbook()">search db</button>

    <button id="goback" type="button" onclick="window.location.href='index.html'" >go back</button>

    <script>

        function addnewbook(){
            document.getElementById("addtodb").innerHTML='added to database';
            setTimeout(() => {location.href="index.html";}, 750);
            <?php
                $sql="INSERT INTO books (title, isbn_10, isbn_13) VALUES ('$title', '$isbn10', '$isbn13')";
                mysqli_query($conn,$sql);
            ?>
        }

        function searchforbook(){
            document.getElementById("searchdb").innerHTML='searching db';
            setTimeout(() => {location.href="askdb.php";}, 1000);
            <?php
                $sql="SELECT * FROM books WHERE isbn_10 LIKE '$isbn10' OR isbn_13 LIKE '$isbn13';";
                $result=mysqli_query($conn,$sql);
                echo $result;
            ?>
        }

    </script>

</body>
</html>
Oliver Harris
  • 1
  • 1
  • 1
    You can't execute PHP code inside a JavaScript function. All the PHP runs when the page is being created. – Barmar Aug 30 '23 at 19:55
  • Even if you _could_ do this (which you can't), it would open you up to all sorts of injection issues since the client could write literally any query they want. Not to mention your queries are _already_ vulnerable to SQL injection even if they were put in the right place. You should be using prepared statements/parameterized queries. – GrumpyCrouton Aug 30 '23 at 20:14
  • What you probably are looking for is an Ajax call to make a new HTTP request to a PHP script. – GrumpyCrouton Aug 30 '23 at 20:15
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/32391315) – Dharman Aug 30 '23 at 23:56

0 Answers0