Getting a variable out of SQL Select statement where clause that came from a PHP Drop down select box

Question

I'm a little confused here. For some reason my results are coming back blank. I'm trying to allow a user to fill out a form by entering their first and last name, and then picking from 5 job titles in a drop down list. Then when they submit the form, the action PHP will pull information for that specific job from a database (using an SQL select statement) and display some results for the user. The problem I'm having, is my results for my pulled variables are coming back blank. I've tried half a dozen different ways to get this select statement to work but it won't budge.

Here's my form, and I have PHP in it that handles the displayasselect function and connects to the server and all that (it was given me trouble pasting the code here for that part for some reason)...but i've without a doubt verified that all that is fine any way. And after the PHP Here's my form:

<form class="form-inline" method="get" action="jobTitlePull.php">
    <div class="form-group">
        <label for="firstName">First Name:  </label>
        <input type="text" name = "fname" id="firstName"/>
    </div>
    <div class="form-group"> 
        <label for="lastName">Last Name: </label>
        <input type="text" name = "lname" id="lastName">
     </div>
        <div class="form-group"> 
        <label for="jobTitle">Job Title: </label>
        <?php
            displayAsSelect($list);
        ?>
     </div>
    <input type="submit" class="btn btn-default"></button>
</form>

Every thing appears fine with the form.

The trouble I'm having is coming from my action php, which here I've called jobTitlePull.php. Here's my code:

    <?php
    $serverName = "xxxxxx";
    $userName = "xxxxxx";
    $passWord = "xxxxxx";
    $database = "xxxxxx"; // last 4 fields purposefully masked.
    $firstName = $_GET["fname"];
    $lastName = $_GET["lname"];
    $jobTitle = $_GET["jobName"];
    $conn = mysqli_connect($serverName, $userName, $passWord, $database);
    if (!$conn){
        die ("<p>Connection failed: ".mysqli_connect_error()."</p>");
    }
    $queryString = "SELECT jobName, description, posType, basePay FROM Titles WHERE jobName = '$jobTitle'";
    $result = $conn->query($queryString);
    if(!$result){
        die ("<p>Query failed</p>");
    }
    $record = mysqli_fetch_assoc($result); //I think my problem MAY lie here??
    $desc = $record['description']; //or maybe I'm declaring variables wrong?
    $pos = $record['posType'];
    $base = $record['basePay'];
    echo "<h4>Hello $firstName $lastName Job Title: $jobTitle Job Description: $desc Position Type: $pos Base Pay: $base</h4>";
    mysqli_close($conn);
?>

The fields in the select statement are all correct. I know this because if I change WHERE jobName = '$jobTitle' to WHERE jobName = jobName , it will allow me to use a while statement and loop through and print out ALL of the data for ALL fields in the Titles part of database. But I just need the data for the drop down. But when I equate $jobName to $jobTitle (and $jobTitle IS pulling the correct information), it gives me blank results for the part of the echo statement where the variables for $desc , $pos , and $base are.

Please help.

Thanks

Answer 1

I suggest you take a bit different approach to your current query, and also consider some of your safety approach to how you are handling the code.

First everyrhing pretty much stays the same:

$serverName = "xxxxxx";
$userName = "xxxxxx";
$passWord = "xxxxxx";
$database = "xxxxxx"; // last 4 fields purposefully masked.

Change your connection to a OOP method, it will be easier when you are dealing with Prepared Statemtns

$conn = new mysqli($serverName, $userName, $passWord, $database);
if (!$mysqli->connect_error){
    die ("<p>Connection failed: ". $mysqli->connect_error() ."</p>");
}

Add some filter to your variables

1. Decode the url since you are using $_GET , that is important in case your browser encodes the variables when you're posting it.
2. htmlentities will make sure there are not html tags and prevent code from being run.

This will look like:

$firstName = urldecode( htmlentities($_GET["fname"]) );
$lastName = urldecode( htmlentities($_GET["lname"]) );
$jobTitle = urldecode( htmlentities($_GET["jobName"]) );

Now let's see some important changes:

// let's start changing your query here
// use prepared statements
$queryString = "SELECT jobName, description, posType, basePay FROM Titles WHERE jobName = ?";

Then you have to prepare the query

if( $stmt = $mysqli->prepare( $queryString ) ) {
    //bind the parameter of `jobName`
    $stmt->bind_param('s', $jobName);
    // execute the query
    $stmt->execute();

    // get all of the results
    $results = $stmt->get_result();
    // fetch the results in an associative array
    $row = $result->fetch_assoc();

    // close stmt connection
    $stmt->close();
} else {
    $error = array(
        'is_error' => true,
        'error' => 'There was a problem preparing the SQL'
    );

    print_r($error);
}

Now you you have all of the records in the array of $row and you can use it to do what you need to. You can make sure the data is there by printing the entire array:

print_r($row);

Cheers!