0

I have a function that gets the value of a select menu and this work great. But i am trying to add another value to the function. So I thought I would use the title attribute for option (please see code below). The problem is the username parameter in my JavaScript function is undefined.

Does anybody have any ideas of what im doing wrong?

FORM

<form action="">
    <select id="acyear" name="acyear" onchange="showyearlogdays(this.value, this.title)">
    <option value="" label="">- Year -</option>
<?php

$is_business_result = mysql_query('SELECT DISTINCT(academic_year)FROM holiday_entitlement_business_manual WHERE employee = \'' . $username . '\''); 


    while($acyear_filter = mysql_fetch_array($is_business_result)) {
    echo '<option value="'.$acyear_filter['academic_year'].'" title="'.$username.'"';

    $datestr = $acyear_filter['academic_year'];
    $currentyear = substr($datestr, 0, 4);

    if(intval(substr($datestr,4,2)) < 8){$ayear = ($currentyear - 1).'/'.$currentyear;}
    else{$ayear = ($currentyear).'/'.($currentyear + 1);}       
        echo '>';

    echo $ayear;

    echo '</option>';
    }

?>    
    </select>
</form>

Javascript

   function showyearlogdays(str, username)
 {
 if (str=="")
   {
   document.getElementById("txtHint").innerHTML="";
   return;
   } 
 if (window.XMLHttpRequest)
   {// code for IE7+, Firefox, Chrome, Opera, Safari
   xmlhttp=new XMLHttpRequest();
   }
 else
   {// code for IE6, IE5
   xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
   }
 xmlhttp.onreadystatechange=function()
   {
   if (xmlhttp.readyState==4 && xmlhttp.status==200)
     {
     document.getElementById("txtHint").innerHTML=xmlhttp.responseText;
     }
   }
 xmlhttp.open("GET","days_yearlog.php?username="+username+"&q="+str,true);
 xmlhttp.send();
 }
Improve this question
4
  • Using mysql_query and concatenating an unquoted string like that is a potential bug and security issue. Please use parameter binding instead. Commented Aug 16, 2012 at 15:55
  • @Martijn I think that the OP will find it more helpful if you explain what you are saying. Commented Aug 16, 2012 at 16:15
  • 1
    @starbeamrainbowlabs: Read this page about protecting MySQL from SQL injection attacks for more information about SQL injection attacks, and how to protect your code from them. Or see this question. Commented Aug 17, 2012 at 7:43
  • @Martijn Thanks! That will be useful, especially for those who do not know very much about mysql like me :) Commented Aug 18, 2012 at 8:25

1 Answer 1

Reset to default
2

You need to get the title attribute of the selected option. Your code is pointing to the title attribute of the select tag. Make the change below:

showyearlogdays(this.value, this.options[this.selectedIndex].title)

You should also address the security concern mentioned in the comments. The way your query is setup would make for a really simple SQL Injection attack. If you don't want to rearchitect it the way the commenter suggested, I would at least escape $username so that SQL can't be injected.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.