0

For some reason i am not getting an output from this code. Specifically from this if statement: I inserted an html tag with a test word, but it never appeared on the output. I fixed the "SELECT" typo.. still getting same results.. no output.. i think the problem is from this statement. 

$db = new PDO("mysql:dbname=university", "root", "");

I inserted another test phrase right before it - success and another one right after it - didn't output

        if($sel=="getinfo"){
                    try {
                    $db = new PDO("mysql:dbname=university", "root", "");
                    $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
                    $rows = $db->exec("SEEELECT * FROM fminformationtable WHERE FM_ID = '$_POST[iden]'"); 
                    ?>
                    test
                    <?php
                    }

This is the full function

    if($sel=="addnew"){
    try {
                $db = new PDO("mysql:dbname=university", "root", "");
                $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
                $rows=$db->query("INSERT INTO fminformationtable 
                VALUES('$_POST[iden]','$_POST[lname]','$_POST[fname]','$_POST[office]','$_POST[ext]','$_POST[hphone]','$_POST[mobile]','$_POST[address]','$_POST[email]','$_POST[syear]','$_POST[tyear]','$_POST[ldegree]','$_POST[ofrom]','$_POST[dyear]','$_POST[rinterest]')");

            }
            catch (PDOException $ex) {
            ?>
            <p>Your information has been submitted! </p>
            <?php
            }
            if($sel=="update"){


                try {
                    $db = new PDO("mysql:dbname=university", "root", "");
                    $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);



                    $rows=$db->query("UPDATE fminformationtable SET
                     Office=`$_POST[office]`,
                     Extension=`$_POST[ext]`,
                     HomePhone=`$_POST[hphone]',
                     MobilePhone=`$_POST[mobile]`,
                     Adress=`$_POST[address]`,
                     Email=`$_POST[email]`,
                     StartingYear=`$_POST[syear]`,
                     TerminationYrear=`$_POST[tyear]`,
                     LatestDegree=`$_POST[ldegree]`,
                     ObtainedFrom=`$_POST[ofrome]`,
                     DegreeYear=`$_POST[dyear]`,
                     ResearchInterest=`$_POST[rinterest]`

                    ");

                    }


                catch (PDOException $ex) {


                }
        }
        }
         if($sel=="delete"){
            try {
                    $db = new PDO("mysql:dbname=university", "root", "");
                    $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
                    $rows = $db->exec("DELETE FROM fminformationtable WHERE FM_ID = '$_POST[iden]'"); 


            }
            catch (PDOException $ex) {

                }
        }

        if($sel=="getinfo"){
                    try {
                    $db = new PDO("mysql:dbname=university", "root", "");
                    $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
                    $rows = $db->exec("SEEELECT * FROM fminformationtable WHERE FM_ID = '$_POST[iden]'"); 
                    ?>
                    test
                    <?php
                    }
Improve this question
5
  • 3
    SEEELECT might be a typo ... it throws, which is never caught! Commented Dec 19, 2013 at 1:04
  • 2
    And injecting a POST variable directly in the query is a huge mistake. You need to read up on sql injection. As you are already using PDO, switching to prepared statements with bound variables is easy. Commented Dec 19, 2013 at 1:04
  • @EugenRieck, hmm, yes, I believe that is it. Commented Dec 19, 2013 at 1:05
  • $rows = $db->exec("SEEELECT *... is that a typo? Commented Dec 19, 2013 at 1:05
  • A side note, like @jeroen said, injecting a POST directly in your statment is a huge no-no ... No pun intended .. Or is there? Commented Dec 19, 2013 at 1:08

1 Answer 1

Reset to default
2
  1. You're using backticks instead of single quotes.
  2. You never once check your function returns to see if they've failed.
  3. You're using try with empty catch blocks to simply discard any information that might be useful to know. For instance, the errors that are causing your code to not return any data.
  4. SEEEELECT isn't a MySQL operation.
  5. You can't expand array indexes inside a double-quoted string unless you use {$array['index']}

Suggestion: Write your code in chunks of 1-3 lines, test it, write another chunk, test it, and so on. This code looks like it's been written all in one untested shot.

Also: yadda yadda SQL injection, parameterized queries, and so on.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.