0

This is my fetch.php file which works currently but I can't seem to connect my php hyperlink to the gene.php file.

I'm thinking about how I can separate the html from the php to follow other suggestions but struggling on how to do this.

 while($row = mysqli_fetch_array($result))
  {
 $output .= '
 <tr>
<td><a href="gene.php?id=' . $row['mRNA'] . '">'.$row["mRNA"].'</a></td>
<td><a href="gene.php?id=' . $row['mRNA'] . '">'.$row["Gene"].'</a></td>
<td>'.$row["Subtype"].'</td>
</tr>
';
  }
echo $output;
}
?>

If possible, I'm hoping I could pass the new gene.php?id variable back as a query on my gene.php page.

   <?php
   $connect = mysqli_connect("localhost", "root", "", "database");
   $id[0] = $_REQUEST['id'];
   $query = "SELECT * FROM genenames WHERE mRNA=".$id."";
Improve this question
4
  • Yes? $id[0] = $_REQUEST['id']; should probably just be $id = $_REQUEST['id']; You need to read up on SQL injection. You can never trust user input. Commented Jul 18, 2018 at 20:40
  • And what exactly is the result of your current code? How does it differ from what you want? Commented Jul 18, 2018 at 20:41
  • WARNING: When using mysqli you should be using parameterized queries and bind_param to add user data to your query. DO NOT use string interpolation or concatenation to accomplish this because you have created a severe SQL injection bug. NEVER put $_POST, $_GET or any user data directly into a query, it can be very harmful if someone seeks to exploit your mistake. Commented Jul 18, 2018 at 20:59
  • Note: The object-oriented interface to mysqli is significantly less verbose, making code easier to read and audit, and is not easily confused with the obsolete mysql_query interface. Before you get too invested in the procedural style it’s worth switching over. Example: $db = new mysqli(…) and $db->prepare("…") The procedural interface is an artifact from the PHP 4 era when mysqli API was introduced and should not be used in new code. Commented Jul 18, 2018 at 20:59

2 Answers 2

Reset to default
1

try using PDO, it's prettier when it comes to prepared statements.

<?php

// userinput is evil
$id = (int)$_REQUEST['id'];
// or
$id = filter_var($_REQUEST['id'], FILTER_SANITIZE_NUMBER_INT);

// abort here, if $id is not valid

// connection config
$host = '127.0.0.1';
$port = 3306;
$name = 'db-name';
$username = 'db-username';
$password = 'db-password';

$options = [
    PDO::ATTR_PERSISTENT => false
];

$dsn = 'mysql:host='.$host.';port='.$port.';dbname='.$name;

$result = [];
try
{
    $pdo = new PDO($dsn, $username, $password, $options);

    $sql = "SELECT * FROM genenames WHERE mRNA=:id";

    $params = [
        'id' => $id
    ];

    $mode = PDO::FETCH_ASSOC;

    $statement = $pdo->prepare($sql);
    if($statement->execute($params))
    {
        $statement->setFetchMode($mode);
        $result = $statement->fetchAll();
    }
}
catch(PDOException $e)
{
    die('Error!: ' . $e->getMessage());
}


$output = '<table>';

// print your rows
foreach($result as $row) {

    $output .= '
        <tr>
            <td><a href="gene.php?id=' . $row['mRNA'] . '">'.$row["mRNA"].'</a></td>
            <td><a href="gene.php?id=' . $row['mRNA'] . '">'.$row["Gene"].'</a></td>
            <td>'.$row["Subtype"].'</td>
        </tr>
    ';
}

$output .= '</table>';

echo $output;
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Change the following code and check to work for you

 $connect = mysqli_connect("localhost", "root", "", "database");
 $id = $_REQUEST['id'];
 echo $id;//check for id it print or not
 $query = "SELECT * FROM genenames WHERE mRNA=".$id."";

or something like that as you did via index of id

 $connect = mysqli_connect("localhost", "root", "", "database");
 $id[0] = $_REQUEST['id'];
 echo $id[0];//check for id it print or not
 $query = "SELECT * FROM genenames WHERE mRNA=".$id[0]."";

But it is a sql injection problem,you are allowing others to pass via URL I suggest you to read about SQL injection.Use form to post the data or another way to send that close to prevent you from sql injection.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.