0

I'm currently learning php and am testing around with sqli queries. I want to have an input field where a number can be entered. This number is used in the sql-query. Unfortunately it doesn't work the way I want. The text field is stored in index.php as this: 

<form method="post" action="handler.php">
<input type="text" name="idEingabe">
<input type="submit" value="Abfrage für eingegebene ID starten">
</form>

In handler.php, I'm using

$stridEingabe = $_POST["idEingabe"];

And the query contains:

$query = 'SELECT name, beschreibung FROM uebersicht WHERE id = "$stridEingabe"'; 
$result = mysqli_query($con, $query);
if ($result = mysqli_query($con, $query)) {
/* Array ausgeben */
while ($row = mysqli_fetch_assoc($result)) {
    printf ("<b>%s</b> <br>%s<br> <br>", $row["name"],  $row["beschreibung"]);

}

/* free result set */
mysqli_free_result($result);
}
mysqli_close($con);
?>

Unfortunately I don't get any results when I enter the number into the text box and click the submit-button. But if I write the number in the query without using $stridEingabe, I'm getting the results.

Where is the mistake? Thanks a lot

Improve this question
2
  • 2
    the problem here is, you're querying twice, resulting in a syntax error that MySQL is throwing in the background. Commented May 20, 2015 at 21:29
  • 2
    you're vulnerable to sql injection attacks, as well. Commented May 20, 2015 at 21:32

4 Answers 4

Reset to default
2

Seeing that an answer's been submitted before this, thought I'd put one in too and based on a comment I left under the question.

One of the problems here is, you're querying twice which is a major issue, resulting in a syntax error that MySQL is throwing in the background, but you're not listening for it. Plus, your quoting method which I've modified below, just in case it is a string; which we don't know at this time.

$query = 'SELECT name, beschreibung FROM uebersicht WHERE id = "$stridEingabe"'; 

$result = mysqli_query($con, $query);
          ^^^^^^^^^^^^
if ($result = mysqli_query($con, $query)) {
              ^^^^^^^^^^^^

/* Array ausgeben */
while ($row = mysqli_fetch_assoc($result)) {
    printf ("<b>%s</b> <br>%s<br> <br>", $row["name"],  $row["beschreibung"]);

}

what you want is to remove = mysqli_query($con, $query) and add error checking:

$query = "SELECT name, beschreibung FROM uebersicht WHERE id = '".$stridEingabe."'"; 

$result = mysqli_query($con, $query);

if ($result) {
/* Array ausgeben */
while ($row = mysqli_fetch_assoc($result)) {
    printf ("<b>%s</b> <br>%s<br> <br>", $row["name"],  $row["beschreibung"]);

    }

} // brace for if ($result)

// else statement for if ($result)
else{
    echo "There was an error: " .mysqli_error($con);
}

Or, better yet using mysqli_real_escape_string().

$stridEingabe = mysqli_real_escape_string($con,$_POST["idEingabe"]);
  • Although prepared statements are best.

Plus, in regards to SQL injection which is something you're open to, should be using mysqli with prepared statements, or PDO with prepared statements, they're much safer.

Footnotes:

Make sure you are indeed using mysqli_ to connect with and not another MySQL API such as mysql_ or PDO to connect with. Those different APIs do not intermix with each other.

I say this because, the connection method is unknown in your question.

Plus, if you're using your entire code inside the same file, then you should be using a conditional statement for your POST array, otherwise it will thrown a notice immediately on page load; assuming error reporting is enabled on your system.

  • The notice would be "Undefined index idEingabe..."

I.e.:

if(!empty($_POST['idEingabe'])){...}

Another thing; if your inputted value is an integer, you can use the following functions to make sure they are integers and not a string, if that is what the ultimate goal is:

and using a conditional statement in conjunction with those.

Add error reporting to the top of your file(s) which will help find errors.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// rest of your code

Sidenote: Error reporting should only be done in staging, and never production.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks for the detailed explanation! It's working now and I get the results I expected.
0

Two things, first your quotes are wrong, and second, with your code you are vulnerable to sql code injection attacks, try this instead:

$stridEingabe = mysql_real_escape_string($_POST["idEingabe"]);
$query = "SELECT name, beschreibung FROM uebersicht WHERE id='$stridEingabe'";
Improve this answer

5 Comments

Just to point out: the quotes are wrong for PHP - '-quoted strings do not interpolate variables. but mysql itself won't care. "foo" and 'foo' are the same to mysql.
Variables are not replaced with the variable contents unless the string is quoted with " instead of '. So, quoting with ' makes the query hold the variable name instead of the variable contents.
yeah, I misread your answer the first time around, so... fixed up my comment.
Then using " makes the query hold the variable contents and using ' makes the query hold the variable name (as a string), that's right ?
Yes, if a word starts with $ and there is a variable named as that word, and the variable has a pasteable content (a string, a number etc, not objects) then it gets replaced with the variable contents. If the variable is null the most likely that will apear in the query, a null word.
0

The problem is that you are not concatenating the $string to the query

Use something like 

$query = 'SELECT name, beschreibung FROM uebersicht WHERE id = ''.$stridEingabe.'';

Or use double quotes which is way more acceptable

$query = "SELECT name, beschreibung FROM uebersicht WHERE id = '$stridEingabe'";

And try to use only the $results declared in the if statement to avoid double queries.

Improve this answer

Comments

0

You are using wrong quotes. try this:

 $query = "SELECT name, beschreibung FROM uebersicht WHERE id = '$stridEingabe'";
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.