-2

How do i pass a variable from Jquery to PHP?

var itemId = $(this).attr('name');
$.ajax({
    url: "loaditems.php",
    method: "GET",
    success: function(result){
    alert(result);
}});

I want to add a number in PHP at the end of my SQL request.

$sql = "SELECT * FROM SmiteItems WHERE ID = ";

I know there are many questions like this, but other questions are made by people who have more complicated structures which i don't understand.

Improve this question
3
  • Show us how you run the query so I can tell you that it's probably vulnerable Commented Mar 18, 2018 at 23:29
  • There must be 1,000 examples on SO alone and 1,000,000 on the internet in tutorials etc Commented Mar 18, 2018 at 23:39
  • 1
    Possible duplicate of Javascript variable to PHP using Jquery AJAX Commented Mar 19, 2018 at 2:15

2 Answers 2

Reset to default
1

Use the POST method, then try using PHP PDO for making sql queries http://php.net/manual/en/pdo.query.php

 var itemId = $(this).attr('name');
    $.ajax({
        url: "loaditems.php",
        method: "POST", //change
        data: { myVar: itemId }
        success: function(result) {
            alert(result);
        }
    });

Then in your PHP code

 //Get post value from AJAX
    $itemId = $_POST['myVar'];

    \\PDO Example
    $sql = "SELECT * FROM SmiteItems WHERE ID = ?";
    $result = $pdo->prepare($sql);
    $result->bindparam(1, $itemId);
    $result->execute();
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Why it must be the POST method?
Yes it was because of the method. GET is only getting data, but when i want to specify "what data i want" aka "i want only the names column" it must be post.
-2

add data in ajax call and use that data in target url:

var itemId = $(this).attr('name');
$.ajax({
    url: "loaditems.php",
    method: "GET",
    data: {number:itemId},
    success: function(result){
    alert(result);
    }
});

and then in loaditems.php

$sql = "SELECT * FROM SmiteItems WHERE ID = " . $_GET['number'];

As this is not a database and security question, I write no more about SQL INJECTION. Please use "post" method and read more about injection.

Improve this answer

5 Comments

Use POST instead ?
The sql query is prone to sql injection when left like this! You need to escape any user input before passing it to the database! Also, use the '.' concatenation operator instead of numerical '+'.
I have updated the code from + to . For difference between get and post security, please check this: security.stackexchange.com/questions/33837/… @MehdiBounya
@AliSheikhpour GET is not secure for sensitive data, but you can still use GET for GETting data, but that depends on the context I guess...
You are right. Get and Post is not the context of this question. I had no idea why my answer was downvoted so I added a few details about security.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.