0

I am trying to create a functionality that will retrieve all the rows with the same ID inside the database and wanted to display it inside a text box. this is the php file for getting all rows:

PHP:

<?php
    include_once('pConfig.php');
    if (!isset($ciCODe)){
        $ciCode = $_GET['cID'];
    }   
    $strSQL = "SELECT * FROM csi_contact_info WHERE ci_ID = '$ciCode'";
    $result = mysqli_query($db, $strSQL);
    if (!$result) {
        printf("Error: %s\n", mysqli_error($db));
        exit();
    }
    $json = mysqli_fetch_all($result, MYSQLI_ASSOC);
    echo json_encode($json);
?>

After getting all the rows, I want to create a functionality in javascript that will create a textbox referenced on the count of retrieved rows using the code above and show all the retrieved data using the text box.

JAVASCRIPT:

function previewContactInformation(idCode){
        $.ajax({
        type: 'GET',
        url: '../back_php_Code/pPrevContactInfo.php',
        dataType: 'json',
        data: {'cID': idCode},
        contentType: 'application/json; charset=utf-8',
        success: function (response) {
            var cells = eval(response);
            for (var i=0; i <= cells.length ; i ++){
                '<div class="form-group row">'
                    + '<div class="col-md-4 col-lg-2">'
                    + '<label for="name-2" class="block">First name *</label>'
                    + '</div>'
                    + '<div class="col-md-8 col-lg-10">'
                    + '<input id="name-2" name="name" type="text" class="form-control value =' + cells[i].home_number + ' required">'
                    + '</div></div>'
            }
        },
         error: function (error) {
            console.log(error);
        }
   });   
}

Is there any way to add dynamically a textbox using javascript referenced to the count of retrieved rows in the database?

mplungjan
  • 169,008
  • 28
  • 173
  • 236
Ban Tot
  • 367
  • 2
  • 9
  • 1
    **Warning** Your code is vulnerable to **SQL injection**! Someone can put something in the input like "'-- drop table table_name"' and this might get executed. Use [prepared statements](https://www.w3schools.com/php/php_mysql_prepared_statements.asp) Immediately – weegee Aug 13 '19 at 08:33
  • @weegee I completely agree about prepared statements, but your example is not correct. To execute the DROP statement you would need to be able to execute multiple queries. Nonetheless, this code is still vulnerable to SQL injections. – Dharman Aug 13 '19 at 08:41
  • @Dharman oh I know about that. mysqli query won't let two things execute at once. But it was just an example and should tell the OP that's it's dangerous – weegee Aug 13 '19 at 08:44

1 Answers1

1

For security reasons you should use filter_input instead of working with $_GET directly:

$ciCode =filter_input(INPUT_GET, "cID");

More information: https://www.php.net/manual/de/function.filter-input.php

In your isset might by a typo:

if (!isset($ciCODe)){

I think it should be

if (!isset($ciCode)){

In your Javascript use the append function to add the string to a div container, e.g.

        for (var i=0; i <= cells.length ; i ++){
            $('#someId').append('<div class="form-group row">'
                + '<div class="col-md-4 col-lg-2">'
                + '<label for="name-2" class="block">First name *</label>'
                + '</div>'
                + '<div class="col-md-8 col-lg-10">'
                + '<input id="name-2" name="name" type="text" class="form-control value =' + cells[i].home_number + ' required">'
                + '</div></div>');
        }

Read here for more information to append: https://api.jquery.com/append/

In your html-code you need a div-container called with id="someId", where the string can be added, e.g:

 <div id="someId">
 </div>
Marco
  • 3,470
  • 4
  • 23
  • 35
  • 1
    How does the filter help with security? – Dharman Aug 13 '19 at 06:51
  • Hi Sir, Thanks for your response, but it did not work sir, no text box were created after I run the code you've been given. – Ban Tot Aug 13 '19 at 07:00
  • @Dharman: You should never ever trust a user input directly, so you use filter_input to sanitize/validate the inputs – Marco Aug 13 '19 at 08:28
  • 1
    @Dharman: I posted the link to the documentation... I just don't know what kind of ID I'll get... it can be a string or an integer or what ever, so the programmer has to choose the appropriate filter for his purposes. – Marco Aug 13 '19 at 08:33
  • @AlexAbulencia: I've updated the answer a little bit, showing how to implement this. – Marco Aug 13 '19 at 08:34
  • @Marco Thank you Sir! haha I just set the `id="someID"` into `
    ` tag.
     – Ban Tot Aug 13 '19 at 08:36