-1

I am trying to create an order tracking system and has the following query

    //create the order variable and assign it the value that the user has entered
            $order = $_POST["order"];
$query = mysqli_query($link,"SELECT shipping_status FROM orders WHERE code_ticket = $order");
  if($result = mysqli_fetch_assoc($query)){
//the status value
     $status = $result['shipping_status'];
  }
  else{
    $status = "Order Not yet placed";
  }

My problem is that the query is that I am getting the else part executed and not the if part even when I supply a value that is in the db. What could I be doing wrong?

2 Answers2

0

Check if $query is equal to false. If it is, then use mysqli_error() for checking the error:

$query = mysqli_query($link, "YOUR SQL QUERY");
if(!$query) {
    echo "There is an error with db:" . mysqli_error($link);
    exit;
}

//continue your code
Striezel
  • 3,693
  • 7
  • 23
  • 37
Shahin Shemshian
  • 356
  • 1
  • 11
0

As you are developing this system it would be sensible to adopt best practises earlier rather than later - in this instance I refer to sql injection and alas the above code is vulnerable. My guess with the above is the lack of quotes around the embedded variable - code_ticket = $order ~ if $order is a string then it needs quotes. That said it is very easy to inject this with nastiness so a prepared statement would be the way forward. I quickly rewrote your code to show how you might use both a try/catch block and a prepared statement to hopefully resolve the problem and make the code more secure going forward.

<?php

    if( $link && $_SERVER['REQUEST_METHOD']=='POST' && !empty( $_POST["order"] ) ){
        try{

            $order = $_POST['order'];

            /* basic query with placeholder for variable */
            $sql = 'select `shipping_status` from `orders` where `code_ticket` = ?';

            /* create the prepared statement object */
            $stmt = $link->prepare( $sql );

            /* if the query failed raise an exception to indicate failure */
            if( !$stmt ) throw new Exception( 'Failed to prepare sql' );

            /* so far so good. Bind placeholder to a variable */
            $stmt->bind_param( 's', $order );

            /* execute the query */
            $result = $stmt->execute();

            /* deal with recordset */
            if( !$result ) throw new Exception( 'No results: Order not placed' );
            else {

                /* bind column data to an output variable */
                $stmt->bind_result( $status );

                /* fetch the records */
                $stmt->fetch();

                /* do something with output variable */
                printf( 'Shipping Status: %s', $status );


                $stmt->free_result();
                $stmt->close();

            }
        }catch( Exception $e ){
            exit( $e->getMessage() );
        }
    }

?>
Professor Abronsius
  • 33,063
  • 5
  • 32
  • 46
  • Thanks this is a new field but your explanation has enlightened me and I will adopt it but my problem is actually with the data inputed `T-123456` –  Aug 04 '18 at 07:38
  • Is it possible to write a query with that? directly on mysql it is executing but not in php –  Aug 04 '18 at 07:38
  • ? `Is it possible to write a query with that?` ~ please explain. – Professor Abronsius Aug 04 '18 at 07:40
  • My db has data in this format `T-81593` –  Aug 04 '18 at 07:50
  • And I would like to query it but I get the error `There is an error with db:Unknown column 'T' in 'where clause'` when I execute the query from php but none when I rewrite the query in mysql –  Aug 04 '18 at 07:51
  • ok - so `T-81593` is a column in a db table? Use backticks around the column - though ideally you would never use a `-` character instead an underscore `_` is preferred. If you use backticks it should be ok – Professor Abronsius Aug 04 '18 at 08:09