RobDgital Posted July 14, 2017 Share Posted July 14, 2017 (edited) Hi all.I am really battling with stupid things, and I can not see my errors. I am trying to display records from my db, but to no avail. Please can someone see my error... My conn code is as follows: <?php $proId = $_GET['profileId']; $postId = $_POST['postedId']; $servername = "localhost"; $username = "findo_aniuser"; $password = "111lmx333AO!"; $dbname = "findo_animals"; // Create connection $conn = new mysqli($servername, $username, $password, $dbname); // Check connection if ($conn->connect_error) { die("Connection failed: " . $conn->connect_error); } $sql = "SELECT * FROM codeinfo WHERE uniCode='".$proId."' OR uniCode='".$postId."'"; $result = $conn->query($sql); //echo $sql; ?> and in my page, all I am trying to do is show a record, but I am getting no results. I have checked my query on phpmysql and it is returning a recordset!?Trying to display my result on the page with the following. Again, your help is much appreciated <?php echo $row["uniCode"]; ?> Edited July 14, 2017 by RobDgital Quote Link to comment Share on other sites More sharing options...
benanamen Posted July 14, 2017 Share Posted July 14, 2017 (edited) You should start with turning on error reporting. You are not checking whether your query parameters have a value. There are other problems that I am sure others will point out about your insecure code. Edited July 14, 2017 by benanamen Quote Link to comment Share on other sites More sharing options...
Solution Jacques1 Posted July 14, 2017 Solution Share Posted July 14, 2017 First the standard decontamination procedure: Your code has SQL injection vulnerabilities all over the place. Not only can this be used to compromise your database or even the entire server. It also leads to syntax errors with perfectly valid input. Learn to use prepared statements. Your error handling is messed up. First you dump your connection error straight on the website, which is really helpful for attackers and very irritating for legitimate users. Then you just stop checking for errors altogether. Learn how to enable exceptions and then let PHP handle them. mysqli is actually a poor choice. It's a cumbersome low-level interface for people who read the manual, and we all know this doesn't work for PHP programmers. If you can, switch to PDO. It's far more programmer-friendly and supports many different database systems, not just MySQL. You have no input validation whatsoever. You don't check the request method, you don't check if the parameters are actually present, you don't check if their values make sense. This makes the application extremely fragile and difficult to debug, because invalid values aren't caught and may have all kinds of unexpected effects. Maybe the application crashes at some point, maybe it continues but doesn't do what it should. You never know. Learn to validate all input. If you're still having trouble, post the full code (leaving out the relevant fetch parts is rather silly) in code tags (not this custom colored text stuff) and with a concrete error message. 1 Quote Link to comment Share on other sites More sharing options...
RobDgital Posted July 14, 2017 Author Share Posted July 14, 2017 Thank you for you answer Master Coder.If I hard code the variable in it still gives me errors, so I am baffled, there is a parameter value Quote Link to comment Share on other sites More sharing options...
RobDgital Posted July 14, 2017 Author Share Posted July 14, 2017 Thanks GuruThe dumping of the is only for when in dev stages, if i put it live, i delete this Quote Link to comment Share on other sites More sharing options...
RobDgital Posted July 14, 2017 Author Share Posted July 14, 2017 Appreciate the pointer on prepared statements, used, and had success! Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted July 14, 2017 Share Posted July 14, 2017 The dumping of the is only for when in dev stages, if i put it live, i delete this You should delete it all together. It doesn't make any sense to clutter your code with echo statements which don't even include all relevant information and then delete everything. You're reinventing the square wheel. PHP already has an error reporting mechanism which works in all environments and doesn't require any code changes. If you want to see the error during development, you enable display_errors in your php.ini. If you want to log the errors in production, you enable log_errors. By the way, the usernames in this forum are the blue text on the grey bar. You're RobDgital, I'm Jacques1. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.