help displaying record info

[RobDgital]

Hi all.

I am really battling with stupid things, and I can not see my errors. I am trying to display records from my db, but to no avail. Please can someone see my error...

 

My conn code is as follows:
 

<?php

$proId = $_GET['profileId'];

$postId = $_POST['postedId'];

$servername = "localhost";

$username = "findo_aniuser";

$password = "111lmx333AO!";

$dbname = "findo_animals";

// Create connection

$conn = new mysqli($servername, $username, $password, $dbname);

// Check connection

if ($conn->connect_error) {

die("Connection failed: " . $conn->connect_error);

}

$sql = "SELECT * FROM codeinfo WHERE uniCode='".$proId."' OR uniCode='".$postId."'";

$result = $conn->query($sql);

//echo $sql;

?>

 

and in my page, all I am trying to do is show a record, but I am getting no results. I have checked my query on phpmysql and it is returning a recordset!?

Trying to display my result on the page with the following. Again, your help is much appreciated

 

<?php echo $row["uniCode"]; ?>

[benanamen]

You should start with turning on error reporting. You are not checking whether your query parameters have a value. There are other problems that I am sure others will point out about your insecure code.

[Jacques1]

First the standard decontamination procedure:

• Your code has SQL injection vulnerabilities all over the place. Not only can this be used to compromise your database or even the entire server. It also leads to syntax errors with perfectly valid input. Learn to use prepared statements.
• Your error handling is messed up. First you dump your connection error straight on the website, which is really helpful for attackers and very irritating for legitimate users. Then you just stop checking for errors altogether. Learn how to enable exceptions and then let PHP handle them.
• mysqli is actually a poor choice. It's a cumbersome low-level interface for people who read the manual, and we all know this doesn't work for PHP programmers. If you can, switch to PDO. It's far more programmer-friendly and supports many different database systems, not just MySQL.
• You have no input validation whatsoever. You don't check the request method, you don't check if the parameters are actually present, you don't check if their values make sense. This makes the application extremely fragile and difficult to debug, because invalid values aren't caught and may have all kinds of unexpected effects. Maybe the application crashes at some point, maybe it continues but doesn't do what it should. You never know. Learn to validate all input.

 

If you're still having trouble, post the full code (leaving out the relevant fetch parts is rather silly) in code tags (not this custom colored text stuff) and with a concrete error message.

[RobDgital]

Thank you for you answer Master Coder.
If I hard code the variable in it still gives me errors, so I am baffled, there is a parameter value

[RobDgital]

Thanks Guru
The dumping of the is only for when in dev stages, if i put it live, i delete this

[RobDgital]

Appreciate the pointer on prepared statements, used, and had success!

[Jacques1]

The dumping of the is only for when in dev stages, if i put it live, i delete this

 

You should delete it all together. It doesn't make any sense to clutter your code with echo statements which don't even include all relevant information and then delete everything.

 

You're reinventing the square wheel. PHP already has an error reporting mechanism which works in all environments and doesn't require any code changes. If you want to see the error during development, you enable display_errors in your php.ini. If you want to log the errors in production, you enable log_errors.

 

By the way, the usernames in this forum are the blue text on the grey bar. You're RobDgital, I'm Jacques1.