0

I'm writing some PHP to query from a MySQL database that I have setup on my WAMP server. I'm also learning PHP and html javascript as I go, so the syntax of both languages is still a little unfamiliar to me.

EDIT: The syntax error has been solved, however I am now receiving a

Undefined index: family

error when I compile. I am running two files through my server, front.php and back.php. Front contains a selector form where the user may choose a filter to be applied to the php query to MySQL. back.php receives the selection with $_REQUEST and uses that in a SELECT query. I have posted the code relating to the selector form in front.php below.

<form method="POST">
<select name="family" onchange="showUser (this.value)">
<option value="empty">Select a Family:</option>
<option value="capacitor">capacitor</option>
<option value="resistor">resistor</option>
<option value="ferrite bead">ferrite bead</option>
</select>
</form>

Here is the $_REQUEST call in back.php

$sql="SELECT * FROM testv2 WHERE family='".$_REQUEST['family']."'";
$result = mysqli_query($con,$sql);
Jonny1998
  • 107
  • 1
  • 1
  • 13
  • the issue is coming from `$sql="SELECT * FROM testv2 WHERE family ='$_REQUEST['family']'";` look closely – Rotimi Jun 26 '18 at 16:57
  • Side note, that is also subject to sql injection. – Taplar Jun 26 '18 at 17:10
  • @AkintundeOlawale I've added the periods enclosing .$_REQUEST['family']. if that is what you meant by look closely, but the same syntax error occurs. – Jonny1998 Jun 26 '18 at 17:15
  • Thanks, figured it out. However I'm now getting Undefined index error: family On the same line – Jonny1998 Jun 26 '18 at 17:20

2 Answers2

2

You should change line 24 from:

$sql="SELECT * FROM testv2 WHERE family ='$_REQUEST['family']'";

To:

$sql="SELECT * FROM testv2 WHERE family ='" . $_REQUEST['family'] . "'";

As this should fix the syntax error, but still using the above code is a bad idea, as the code has an SQL Injection vulnerability.

I advice you to use PDO prepared statement if you are learning. http://php.net/manual/en/pdo.prepared-statements.php

Ayoob Ali
  • 31
  • 5
1

You are treating

$sql="SELECT * FROM testv2 WHERE family ='$_REQUEST['family']'";

as an Integer, treat it as a String, do this:

$sql="SELECT * FROM testv2 WHERE family ='".$_REQUEST['family']."'";

Another suggestion is to use LIKE

Note: LIKE will increase the given results from Database, so be aware of it if you have a lot of data

EDIT: As per the REQUEST, use $_POST directly instead of $_REQUEST, please check Among $_REQUEST, $_GET and $_POST

Jorge
  • 26
  • 3