Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    New to the CF scene
    Join Date
    May 2017
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts

    error in php code

    I am getting error in displaying the phone numbers of all users who got same blood group,but when I pass 'A+' instead of '$Bldgrp', I get the required output otherwise I get output as {"result":[]}. I am using the webhosting *************** & this is my url http://retiform-power.000webhostapp.....php?Bldgrp=A+.......




    <?php
    require "conn.php";
    if($_SERVER['REQUEST_METHOD']=='GET'){
    $Bldgrp = $_GET['Bldgrp'];
    $sql = "SELECT * FROM regstable WHERE Bldgrp = '$Bldgrp'";
    $res = mysqli_query($conn,$sql);
    $result = array();
    while($row = mysqli_fetch_array($res)){
    array_push($result,
    array(
    $row[3]
    ));
    }
    echo json_encode(array("result"=>$result));
    mysqli_close($conn);
    }

  2. #2
    New to the CF scene
    Join Date
    Jan 2016
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts
    before array_push write var_dump($row) to check thee structure of the data

  3. #3
    Senior Coder deathshadow's Avatar
    Join Date
    Feb 2016
    Location
    Keene, NH
    Posts
    1,890
    Thanks
    2
    Thanked 274 Times in 264 Posts
    Whilst I can't say what's causing your error without seeing the data, your code is wide open to SQL injection since you're slopping your $_GET data into the bloody query string like you were using the outdated/outmoded mysql_ functions. If you're going to use mysqli, it's time to learn to USE IT PROPERLY -- and that means prepare/execute not dumping a variable into a query string where if I passed:

    ?Bldgrp=x%27%3B%20DROP%20TABLE%20egstable%20%3B--

    To your URI, you'd have a very BAD day.

    Also time to put on the big boy pants and stop using the functional wrappers whilst at it... you should avoid using uppercase in your field and table names... and do you REALLY mean to push a single element numeric indexed array ONTO the results array? Seems wasteful/pointless/nonsensical.

    Code:
    <?php 
    require('conn.php');
    if ($_SERVER['REQUEST_METHOD']=='GET') {
    	$stmt = $conn->prepare('
    		SELECT *
    		FROM regstable
    		WHERE bldgrp = ?
    	');
    	$stmt->bind_param('s', $_GET['Bldgrp']);
    	$stmt->execute();
    	$result = [];
    	while($row = $stmt->fetch_array()) $result[] = $row[3];
    	echo json_encode(array("result"=>$result));
    } else {
    	// be sure to handle if no data was passed...
    }
    $conn->close();
    Note the change to lowercase for the field name -- you'd want to reflect that in your table since uppercase fieldnames and table names can be mangled by some backup utilities and/or OS. I would ALSO highly suggest that if you're only using whatever field '3' is, that you get JUST that field by name in the result set instead of every joe-blasted value!

    But really, 99.999999999999% of the time you see a variable in the query string, that's outdated outmoded insecure rubbish that is JUST going to whip around and bite you in the arse.
    I would rather have questions that can't be answered, than answers that can't be questioned.
    http://www.cutcodedown.com

  4. #4
    Senior Coder benanamen's Avatar
    Join Date
    Oct 2015
    Posts
    1,087
    Thanks
    2
    Thanked 117 Times in 114 Posts
    You have several issues. The main one is that you are trying to put an array result into another array. You already have your result in an array, just use it. Additionally, do not SELECT *, specify the column(s) you want. In your case especially. You are only using one column. No reason to select the entire row. Also, never ever put variables in a query. You need to use prepared statements. And finally, no need to manually close the connection. Php will do it automatically.
    To save time, lets just assume I am almost never wrong.

    The XY Problem
    The XY problem is asking about your attempted solution (X) rather than your actual problem (Y). This leads to enormous amounts of wasted time and energy, both on the part of people asking for help, and on the part of those providing help.

    "This text has been encoded with ROT26. If you can read this you must have found a backdoor. Congratulations!"


 

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •