0

So my goal was trying to allow a dynamic element on my page to determine the SQL sent to my database.

This first bit is JS that is included in my main HTML document:

var sub_condition = " AND artist=\'ivoilic\' ";//$(".current_filter").attr("condition");
        $("<?php $conditions = 'WHERE owner=\'ivoilic\'"+ sub_condition+"'; include 'PHP/get_info.php';?>").appendTo(".collection tbody");

The document get_info.php which is included above looks like this:

<?php
include "connect.inc.php";
parse_str($conditions,$test);
$info = mysql_query("SELECT * FROM cards ".$condition.";")or die(mysql_error());?>

My problem is that when I just echo out the SQL it looks fine and when I tested the SQL manually it worked. But for whatever reason when I try and insert the end of the SQL using this method nothing works. Anyone have any ideas?

Improve this question
6
  • if you are a beginner now is a perfect time to separate concerns. Suggest you keep away from mixing php and javascript. Using jQuery and serving well structured html from server there is little likelihood at this stage of your career you will ever need to write php and javascript in the same file even Commented Dec 10, 2013 at 2:21
  • Thanks for the feeback charlietfl but I would really like to know why this isnt working. I can only learn if I can understand where I went wrong. Maybe I was wrong to state I'm a beginner. Commented Dec 10, 2013 at 2:33
  • to be honest I can't even make sense of what your code should do. Is far too fragmented and no idea what I try and insert the end of the sql using this method nothing works means Commented Dec 10, 2013 at 2:34
  • Basically I have a page with content taken from a database and I want user to be able to filter out some of this content (for example by content creator). In order to do this I want to add an additional condition to my SQl based on the user selected filter. Commented Dec 10, 2013 at 2:38
  • well for starters... no mysql queries are ever in javascript. You can send data to server using javascript based on user interaction, and create db queries there. There is just no structure here whatsoever to use as a start point to even help you. WHat were you hoping the js would do? Commented Dec 10, 2013 at 2:47

1 Answer 1

Reset to default
1

I try to show you the right direction:

First

Think about what you want do in mysql. Google for mysql injection. If you take mysql querys from client (browser) to your server, everyone could change it to something like drop database and believe me - you don't want have someone drop your database ;)

Second

Look at this PHP Database access. It's done with PDO. PDO is a PHP class that prevents mysql injections and will help you in many other cases later too.

<?php
$id = $_GET['id'];
$ownerName = $_GET['ownerName'];

$db = new PDO('mysql:host=localhost;dbname=<SOMEDB>', '<USERNAME>', 'PASSWORD');
$query = $db->prepare('SELECT * FROM `cards` WHERE `id` = :ID AND `owner` = :OWNER');
$query->execute(array(
  ':ID' => $id,
  ':OWNER' => $owner
));
$result = $query->fetchAll(); //$result is now an array of search result objects

You see, that you just send values via javascript to your php script. Of course, you could have several query strings in your php script and maybe get one with the combination of a special query ID and a switch? Up to you.

Example:

<?php
  $queryNum = (int)$_GET['queryNum'];
  $value1 = $_GET['val1'];
  $value2 = $_GET['val2'];

  switch($queryNum){
    case 1:
        $query = 'SELECT * FROM `cards` WHERE `id` = :ID AND `owner` = :OWNER';
        $queryVals = array(':ID' => $value1, ':OWNER' => $value2);
      break;
    case 2:
        $query = 'SELECT * FROM `cards` WHERE `color` = :COLOR AND `size` = :SIZE';
        $queryVals = array(':COLOR' => $value1, ':SIZE' => $value2);
      break;
    default:
         $query = 'SELECT * FROM `cards`';
         $queryVals = array();
      break;
  };

  $db = new PDO('mysql:host=localhost;dbname=<SOMEDB>', '<USERNAME>', 'PASSWORD');
  $query = $db->prepare($query);
  $query->execute($queryVals);
  $result = $query->fetchAll(); //$result is now an array of search result objects

Third

Send only the values for your database query from javascript or HTML form to your php script.

Summary

That is really basic knowledge and my script examples are only simple examples that can show you the right direction. And never forgett to prevent the possibility that a user can change in any way your database query or php code!

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.