0

Im trying to get the values where a person searches a staff ID from that input from the html page it will show all processed purchases from that Staff ID

$name = $_GET["staffID"];
$sql = "SELECT orderID, orderDate, shippingDate, staffName FROM purchase
WHERE staffID = ".$name." 
INNER JOIN staff ON purchase.staffID =
staff.staffID ORDER BY orderDate";
$results = mysqli_query($conn, $sql)
or die ('Problem with query' . mysqli_error());

The errors im getting are apparent when I put the WHERE statement in, So i don't know if im doing the WHERE statement correctly or not.

Without the where statement it will show me all purchases from all staff ids in the table which is right

<html> 
</head>
<body>

<form id="staff" action="file.php" method="get">
<p>please fill in the following form</p>
<p>Staff ID:  <input type="text" name="staffID"/>
</p>

<p><input type="submit"  value="Submit">
<input type="reset" value="Reset"></p>
</form>
</body>
</html>
Improve this question
6
  • Tr reordering WHERE & INNER JOIN clauses; Commented Apr 16, 2016 at 9:40
  • @itzmukeshy7 getting an error Warning: mysqli_error() expects exactly 1 parameter, 0 given in I:*Path* on line 23 Problem with query....... line 23 being the last line in that code "or die ('Problem with query' . mysqli_error());" Commented Apr 16, 2016 at 9:47
  • or die ('Problem with query' . mysqli_error($conn)); means pass $conn variable to mysqli_error(); then share the error; Commented Apr 16, 2016 at 9:49
  • Can you please post the HTML form? Commented Apr 16, 2016 at 10:18
  • @TheCodesee will post now Commented Apr 16, 2016 at 10:31

2 Answers 2

Reset to default
1

Try this ;)

$name = isset($_GET['staffID'])?$_GET['staffID']:'';
if(!empty($name) && $stmt = $conn->prepare('SELECT orderID, orderDate, shippingDate, staffName FROM purchase INNER JOIN staff ON purchase.staffID = staff.staffID WHERE staffID = ? ORDER BY orderDate')){
  /**
   * Here 1st parameter is data type of field s for string and i for integer;
   * @todo update "s" as per data type of staffID field;
   */
  $stmt->bind_param("s", $name);

  /* execute query */
  $stmt->execute();

  /* Get result: */
  $result = $stmt->get_result();

  /* now you can fetch the results into an array - NICE */
  while($row = $result->fetch_assoc()){
    /**
     * @todo use $row as per your requirement;
     */
  }

  /* close statement */
  $stmt->close();
}

/* optional close connection */
$conn->close();

Preventing SQL injection too; and also check for blank value of $_GET['staffID'];

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

The problem is that you have not put delimiters around the name variable:

$sql = "SELECT orderID, orderDate, shippingDate, staffName FROM purchase
INNER JOIN staff ON purchase.staffID =
staff.staffID ORDER BY orderDate
WHERE staffID = '".$name."' ";
Improve this answer

4 Comments

I have updated my answer - please try the query with the WHERE clause reordered, as per itzmukeshy7 suggestion
Still getting the same error, Warning: mysqli_error() expects exactly 1 parameter, 0 given in I:"Path" on line 24 Problem with query which is the or die(... line
You need to pass your connection into the mysqli_error function like this mysqli_error($conn);
With this code SQL injection is possible right @MarcStevenPlotz?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.