Search and display database values in a table

Question

0.00/5 (No votes)

See more:

I need the user to input country ISO_id, in order to create an output table with the height, weight, gender and sports of the cyclists. I am quite new to PHP and Javascript so if you could help me understand what I am doing wrong it would be appreciated.

This is what I have come up with so far:

What I have tried:

<?php
if (isset($_GET['submit'])){
	$query = "SELECT ISO_id, height, weight, gender, sport FROM Cyclist WHERE ISO_id LIKE '%sumbit%'" ;
	$result = $conn->query($query);
	
if (count($results) > 0) {
    foreach ($results as $r) {
      printf("<div>%s - %s</div>", $r['height'], $r['weight'], $r['gender'], $r['sport']);
    }
  } else { echo "No results found"; }
}
?>

<pre><form action="view.php" method="get" id="view">
    <table border="1">
	<tr>
        <td><label for="country ISO_id">Country ISO_id</label></td>
        <td>
          <input name="country ISO_id" type="text" class="larger" id="country ISO_id" value="" size="5" />
        </td>
		<tr>
        <td><label for="submit">Submit</label></td>
        <td><input type="submit" name="submit" id="submit" value="Submit" class="larger" /></td>
      </tr>
    </table>
</form>

<div id="results"></div>

<script>
function fetch() {
  // (A) GET SEARCH TERM
  var data = new FormData();
  data.append('submit', document.getElementById("submit").value);
  data.append('ajax', 1);
 
  // (B) AJAX SEARCH REQUEST
  var xhr = new XMLHttpRequest();
  xhr.open('GET', "query");
  xhr.onload = function () {
    var results = JSON.parse(this.response),
    wrapper = document.getElementById("results");
    if (results.length > 0) {
      wrapper.innerHTML = "";
      for (let res of results) {
        let line = document.createElement("div");
        line.innerHTML = `${res['height']} - ${res['weight']}`- ${res['gender']} - ${res['sport']};
        wrapper.appendChild(line);
      }
    } else { wrapper.innerHTML = "No results found"; }
  };
  xhr.send(data);
  return false;
}
</script>

</body>
</html>

Posted 16-Aug-21 19:16pm

The Melon

Updated 16-Aug-21 22:15pm

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard Deeming · Answer 1 · 2021-08-16T22:15:00

Quote:

PHP

$query = "SELECT ISO_id, height, weight, gender, sport FROM Cyclist WHERE ISO_id LIKE '%sumbit%'" ;

Not like that!

Thankfully, you haven't inserted anything into the SQL query to represent the search value. If you had, you would have introduced a SQL Injection[^] vulnerability.

You need to use a prepared statement:
PHP: Prepared statements and stored procedures - Manual[^]

PHP

$ISO_id = $_GET['country ISO_id']; // The value submitted from the form.
$query = "SELECT ISO_id, height, weight, gender, sport FROM Cyclist WHERE ISO_id LIKE ?";
$stmt = $conn->prepare($query);
$result = $stmt->execute(["%$ISO_id%"]);

NB: It's usually best to avoid spaces in the name attribute of your form controls.

In your printf statement, you're only printing two values from the record - the height and weight.
PHP: printf - Manual[^]

Depending on where the data comes from, you may also need to HTML-encode the values when you write them out, to avoid a persisted cross-site scripting vulnerability.
Cross Site Scripting (XSS) | OWASP[^]
PHP: htmlspecialchars - Manual[^]