0

This is my print code:

<?php

if ($_GET['id'] == "print")
{

include ("../config.php");
include ("../classes.php");

$result = $Adder->getPrintData($_POST['value']);

if ($result->num_rows > 0)
{
    $data = "";
    $html_data = "";
    while ($row = $result->fetch_assoc())
        {
        switch ($row['birth_type_id'])
            {
        case 1:
            $hospital_id = $row['hospital_id'];
            $home_detail = "None";
            $other_detail = "None";
            $birth_formatted_type = "Birth at : " . $Viewer->getHospitalName($row['hospital_id']);
            break;

        case 2:
            $hospital_id = "None";
            $home_detail = $row['home_detail'];
            $other_detail = "None";
            $birth_formatted_type = "|| Birth at Home || <br />Home Details Are : " . $row['home_detail'];
            break;

        case 3:
            $hospital_id = "None";
            $home_detail = "None";
            $other_detail = $row['other_detail'];
            $birth_formatted_type = "|| Birth at Other Location || <br />Details Are : " . $row['other_detail'];
            break;

        default:
            $hospital_id = "None";
            $home_detail = "None";
            $other_detail = "None";
            break;
            }

   $data.= "<div style='width: 100%;'>
   <table>
      <tr>
         <td style='width: 350px;'>
            <u>
               <h3>Baby Related Details</h3>
            </u>
            Registration Number: {$row['registration_number']}<br />
            Birth Date: {$row['birth_date']}<br />
            Birth Time: {$row['birth_time']}<br /><br />
            Gender: {$Viewer->getGender($row['gender_id']) }<br />
            Baby's Full Name: {$row['baby_name']}<br />
            Father's Full Name: {$row['fathers_name']}<br />
            Father's Aadhar ID: {$Viewer->getAadhar($row['fathers_uid']) }<br />
            Mother's Full Name: {$row['mothers_name']}<br />
            Mother's Aadhar ID: {$Viewer->getAadhar($row['mothers_uid']) }<br />
            While Baby's Birth Parents Address: {$row['while_baby_birth_parents_address']}<br />
            Parent's Permanent Address: {$row['parents_permanent_address']}<br />
         </td>
         <td style='width: 350px;'>
            <u>
               <h3>Parents Details</h3>
            </u>
            {$birth_formatted_type}<br />
            Category: {$Viewer->getCategoryDetail($row['category_id']) }<br />
            Religion: {$Viewer->getReligionDetail($row['religion']) }<br /><br />
            Taluka: {$Viewer->getTalukaDetail($row['taluka_id']) }<br />
            City: {$Viewer->getCityDetail($row['city_id']) }<br />
            <br /><br />
            Father's Education Level: {$Viewer->getEducationLevel($row['id_of_fathers_education_level']) }<br />
            Mother's Education Level: {$Viewer->getEducationLevel($row['id_of_mothers_education_level']) }<br />
            Father's Occupation: {$Viewer->getOccupationDetail($row['id_of_fathers_occupation']) }<br />
            Mother's Occupation: {$Viewer->getOccupationDetail($row['id_of_mothers_occupation']) }
            <u>
               <h3><br />Other Details</h3>
            </u>
            Mother's Marriage Age: {$row['mothers_marriage_age']}<br />
            While Baby's Birth Mother's Age: {$row['while_birth_mothers_age']}<br />
            Alive Deliveries Upto Now: {$row['total_alive_deliveries_uptill_date']}<br /><br />
            Birth Place: {$Viewer->getBirthPlaceOrPerson($row['id_of_birth_place']) }<br />
            Birth Person: {$Viewer->getBirthPlaceOrPerson($row['id_of_birth_person']) }<br />
            Mother's Delivery Type: {$Viewer->getDeliveryType($row['id_of_delivery_type']) }<br />
            Child's Weight: {$row['child_weight_while_birth']} Kg<br />
            Pregnancy Duration: {$row['pregnancy_duration']} Weeks
         </td>
      </tr>
   </table>
</div>

";
        }

    $html_data = "<html>
    <head>
        <style>
            *
            {
            font-family: 'titillium';
            }
            @page
            {
            margin: 10px;
            }
            body, table
            {
            margin: 10px;
            }
        </style>
    </head>
    <body>
        <br />
        <center>
            <h2>
                Birth Certificate Details
            </h2>
        </center>
        " . $data . "
    </body>
</html>";

    require "../dompdf/dompdf_config.inc.php";

    $dompdf = new DOMPDF();
    $dompdf->set_paper('A4', 'landscape');
    $dompdf->load_html($html_data);
    $dompdf->render();
    $dompdf->stream("PD444607_Date_" . $_POST['value'] . ".pdf");
    }
}

The pdf is being generated with the varying file size, but when I open the pdf it shows an error message like

Couldn't open pdf

When I am doing an echo like below

echo $html_data;

Each and every data is being visible, it's not showing any error. I have debugged the code at every level. only when the pdf is being generated it doesn't open.

This is the data that is being brought in the variable $result;

public function getPrintData($value)
{
    $query = "SELECT * FROM certificate_details WHERE created LIKE '%$value%' ";
    $connection = $this->establish_connection();
    $result = $connection->query($query);
    $connection->close();
    return $result;
}
Akshay Hegde
  • 16,536
  • 2
  • 22
  • 36
Akshay Shrivastav
  • 1,115
  • 4
  • 17
  • 43
  • 2
    **WARNING** You seem to be open to SQL injection by passing raw `$_POST` data to your query without any sanitation. – ʰᵈˑ Feb 01 '17 at 12:17
  • If you have `header('Content-type:application/pdf'); $dompdf->stream(); die;` does the browser render the PDF fine? Also, what is up with that indentation? – ʰᵈˑ Feb 01 '17 at 12:18
  • sql injection ? but i dont think that a hacker can enter it coz i have given proper validarions. – Akshay Shrivastav Feb 01 '17 at 12:30
  • Where should i set the header in the code. The pdf generates in 58.23kb as there is only 1 page data, but it doesn't open MS edge tells that something is preventing from opening the file. – Akshay Shrivastav Feb 01 '17 at 12:31
  • No, what if `$_POST['value'] = "%' AND id = 1 -- "`? You'd still be injecting parameters into the query, thus SQL injection. – ʰᵈˑ Feb 01 '17 at 13:33
  • 1
    Try opening your PDF in a text viewer (Notepad, TextEdit, vi). There may be some non-PDF content captured in the stream sent from your server. – BrianS Feb 01 '17 at 18:13
  • ohk then what do you sugges how should i sanitize the parameter any suggestion any function in php ? – Akshay Shrivastav Feb 02 '17 at 15:03
  • About the security of your SQL code, hard to say without seeing more of your code. You might consider posting a fuller example to [CodeReview](http://codereview.stackexchange.com/). At the very least you need to escape the user supplied input (i.e. by using [mysqli_real_escape_string](http://php.net/manual/en/mysqli.real-escape-string.php)). – BrianS Feb 03 '17 at 16:23

1 Answers1

0

I found the solution. the problem was that I was setting a title and favicon before the execution of PHP script to generate pdf. so I think that it was catching as s headers. So I removed that & the problem was solved.

Akshay Shrivastav
  • 1,115
  • 4
  • 17
  • 43
  • 1
    So, basically [this comment](http://stackoverflow.com/questions/41979511/pdf-not-opening-after-generation-of-dompdf#comment71151183_41979511) – ʰᵈˑ Feb 10 '17 at 14:50