Results don't show!

Silviia · Jul 15, 2019

(Added [code]...[/code] tags ~ MOD)

Hi, i need some help here cause i tried everything and i can't solve this.
So, to context you a bit.
1. I have 3 tables , the location, the dosimeter and the probes, where the location have LocationName (primarykey) and dosimeter have LocationName (foreignKey) and SerialNumber (primarykey), and the probes don't matter at this point.
2. I already insert data in the location and in the dosimeter . LocationName = teste2 , SerialNumber=456
3. I want the user to chose the location he wants to see the details and also if he wants to see dosimeter or probes.
4.PROBLEM: i think the problem is here: LocationName='$LocationName'
I test to see if i had results so i trade the '$LocationName' for 'teste2' and the results show.
Already tried to change '$LocationName' for $location , 'location', and nothing.
If i put $LocationName without '' i have the error (Trying to get property 'num_rows' of non-object)
5. CODE:

THE FORM

<table style="margin-top:-140px;">
<form action="" method="post" >
<tr><td><label>Location Name </label></td>
<td><select name="location"  id="location"   onchange="MakeXMLHTTPCall();" required>
<option value="none" selected> 
<?php

$servername = "localhost";
$username = "root";
$password = " "; 
$dbname = " ";


$conn = mysqli_connect($servername, $username, $password, $dbname);

if (!$conn) {
    die("Connection error : " . mysqli_connect_error());
}

#SHOWS THE LOCATIONS SAVED ON DB
$sql = "SELECT * FROM location";
$result = $conn->query($sql);
if ($result->num_rows > 0) {
 while($row = $result->fetch_assoc()) {

echo "<option value=\"location\">" . $row['LocationName'] . "</option>";
    }

}
?>
</select></td></tr>

#SELECT IF IT WANTS TO SEE DOSIMETER OR PROBES
<tr><td>  <select name="mode" id="mode">
<option value="dosimeter"<?php if(isset($mode)&& $mode=="dosimeter");?>>Dosimeters
<option value="probe"<?php if(isset($mode)&& $mode=="probe") ;?>>Probes
</select></td></tr>


<tr><td colspan="2"><br><input name="submit" type="submit" value=" SELECT ">
<input type="reset" value="RESET"><br><br><br></td></tr>

</form>

THE DATA SHOWING

<?php


if ($_SERVER["REQUEST_METHOD"] == "POST") {

$LocationName = ($_POST["location"]);



$conn = mysqli_connect($servername, $username, $password, $dbname);

if (!$conn) {
    die("Connection error : " . mysqli_connect_error());
}
if($_POST['mode']=="dosimeter"){
$sql = "SELECT * FROM dosimeter WHERE LocationName='$LocationName'";
$result = $conn->query($sql);
if ($result->num_rows > 0) {

	  echo "<tr><th>Serial Number</th><th>Quantity</th></tr>";
 while($row = $result->fetch_assoc()) {

    echo "<tr><td>" . $row["SerialNumberD"]. "</td><tr> ";
}

}
}


}

$conn->close();
?>
</table>

Thank you to anyone who can help me!

NogDog · Jul 15, 2019

Pending somebody seeing some logic problem, etc., maybe try adding some debug code to see if things are actually the way you think they are, e.g.:

<?php

if ($_SERVER["REQUEST_METHOD"] == "POST") {

  $LocationName = ($_POST["location"]);

  $conn = mysqli_connect($servername, $username, $password, $dbname);

  if (!$conn) {
    die("Connection error : " . mysqli_connect_error());
  }
  if ($_POST['mode'] == "dosimeter") {
    $sql = "SELECT * FROM dosimeter WHERE LocationName='$LocationName'";
    $result = $conn->query($sql);
    if ($result->num_rows > 0) {

  echo "<tr><th>Serial Number</th><th>Quantity</th></tr>";
  while ($row = $result->fetch_assoc()) {

    echo "<tr><td>" . $row["SerialNumberD"] . "</td><tr> ";
  }
}
else { // debug only
  echo "<p>DEBUG: no rows returned by '$sql'</p>\n";
}
  }
  else {  // debug only
    echo  "<p>DEBUG: not dosimeter</p>\n";
  }
}
else { // debug only
  echo "<p>Not POST</p>\n";
}

pbismad · Jul 17, 2019

The value='...' attribute the in the <option > tag is the literal string 'location'. You would want it to be the $row['LocationName'] variable.

Next, you should NOT put external/unknown data values directly into an sql query statement, as this will allow sql injection. The SELECT query you have now can be used to dump the contents of any of your database tables, simply by injecting a UNION ALL ... query onto the end of the current query. You should use a prepared query instead, with a place-holder for each data value, then supply the value when the query gets executed. Unfortunately, the mysqli extension is overly complicated and inconsistent when dealing with prepared queries and you should switch to the much simpler PDO extension.