Passing a value from HTML Table to query on new page

[thenorman138]

I need help passing a value from a database. I've done this successfully with drop down boxes, and getting the selection then posting with a submit button where it would fill the tables in Display.php successfully. However, I'm now using an html table that fills with values as a list and uses the serial number as a hyperlink.

 

When the user selects the link and it opens Display.php, I want to grab the serial number associated with that link/row and use it in the SQL query on the display.php page so it can match that serial number with a stageID in my staging table and select all values for that row. 

 

In the following code, if I debug the $_GET array, it shows the correctly chosen serial number. If I debug/print $_GET and $result1, I get:

 

    Array ( [id] => 70066665 ) mysqli_result Object ( [current_field] => 0 
    [field_count] => 230 [lengths] => [num_rows] => 0 [type] => 0 )

 

The fact that these are showing the correct serial number and row lengths, I know that the dashboard page and hyperlink code are working, as well as my SQL connection. I feel like there may be an issue in the way I've created the query on Display.php where it just isn't grabbing or matching correctly. 

 

 

Here is the code:

 

 

**Dashboard.php**

 

 

   <?php
    $query1 = "SELECT * FROM staging;";
    $result1 = mysqli_query($connect,$query1);
    while($row = mysqli_fetch_array($result1)){
    ?>
   <tr>
<td><? echo $row['workOrderPacket'];?> </td>
<td><? echo $row['workOrderNum'];?> </td>
<td><? echo $row['date'];?> </td>
<td><? echo $row['utility'];?> </td>
<td><? echo $row['serviceName'];?> </td>
<td><? echo $row['address'];?> </td>
<td><? echo $row['serialNumber'];?> </td>
<td><?php echo '<a href="Display.php?   id='.$row['serialNumber'].'">'.$row['serialNumber'].'</a>'; ?> </td> 
   </tr>
<?}?>
    </table>

**Display.php**

 

    <?php
    //if(isset($_POST['submit'])) 
    if(isset($_GET['id'])) 
    {

    $query1 = "SELECT * FROM staging WHERE stageID = ".$_REQUEST['id'].";";
    $result1 = mysqli_query($connect,$query1);
  
    while($row = mysqli_fetch_array($result1)){
    ?>
    /////20 HTML tables filled with values from database
    /////

 

[requinix]

Besides the SQL injection, the only pro--

[field_count] => 230

...uh, what?

 

Okay, so besides the SQL injection and the horrible database design, the only problem I see is that

'.$row['serialNumber'].''; ?>

the URL uses the serialNumber (and has a weird space in there) while the code

$query1 = "SELECT * FROM staging WHERE stageID = ".$_REQUEST['id'].";";

uses the stageID.

[thenorman138]

Thank you, i failed to replace stageID from another query. I swapped that out and it worked perfectly, thank you!

And yes, I avoided prepared statements for now because this is a local test project so injection wasn't a concern just yet, just trying to get some PHP working first. And our staging table is for a CSV import and the CSV has 230 static fields. Once the CSV imports here and all is well it splits into 8 other tables. It's just a holding table basically.

[requinix]

And our staging table is for a CSV import and the CSV has 230 static fields. Once the CSV imports here and all is well it splits into 8 other tables. It's just a holding table basically.

Ah okay, for importing data it's excusable. But that's still one crazy CSV file you've got there 

[Jacques1]

And yes, I avoided prepared statements for now because this is a local test project so injection wasn't a concern just yet, just trying to get some PHP working first.

 

This statement is a contradiction in terms. When your code has an obvious defect, then it cannot be “working” (unless you've redefined the term to mean something else).

 

An SQL injection vulnerability is not “just a vulnerability”. It's a defect which can blow up at any time even when no bad intentions are involved. So instead of writing software which is broken by design, why don't you simply fix your stuff?