Ajax using PHP Script

[Guest vfalkar]

Hi all.I went trrough the Ajax database example given in:http://www.w3schools.com/ajax/ajax_database.aspThe code is given in asp.i want to write the same code in PHP csript i mean the last part.Now i am taking a sample database for doing the same.But on selecting the user name the details are not displayed. Neither any error is being displayed.What might be the possible error?Can anyone give me the exact code for doing so?

[MiJaMu]

vf,It should be something like this:$cid = $_GET['cid'];$sqlconnect=<your sql connect string>;sql="SELECT * FROM CUSTOMERS WHERE CUSTOMERID=$cid";proc=($sqlconnect, $sql);echo "<table>";while(odbc_fetch_row($proc)){ echo "<tr><td><b>".odbc_result($proc,"name")."</b></td>"; echo "<td>".odbc_result($proc,"value")."</td></tr>";}echo "</table>";obviously it will be a little different depending on what you're pulling from the database. as usual, read the php tutorial for specifics on how to pull data from a database.~ MiJa

[justsomeguy]

PHP handles database connections totally different than ASP does. But this depends on which database you are using. If you are using MySQL:

<?php$cid = $_GET['cid'];mysql_connect($database_server, $database_user, $database_password);mysql_select_db($database_name);$sql="SELECT * FROM CUSTOMERS WHERE CUSTOMERID='" . mysql_escape_string($cid) . "'";$result = mysql_query($sql);echo "<table>";while($row = mysql_fetch_assoc($result)){  echo "<tr><td><b>".$row['name']."</b></td>";  echo "<td>".$row['value']."</td></tr>";}echo "</table>";?>

You also need to protect against SQL injection, it is a terrible idea to take things directly from GET or POST and use them in database queries (that's the point of the mysql_escape_string function above). That's a great way to allow someone to delete your entire database.

[aspnetguy]

PHP handles database connections totally different than ASP does.  But this depends on which database you are using.  If you are using MySQL:

<?php$cid = $_GET['cid'];mysql_connect($database_server, $database_user, $database_password);mysql_select_db($database_name);$sql="SELECT * FROM CUSTOMERS WHERE CUSTOMERID='" . mysql_escape_string($cid) . "'";$result = mysql_query($sql);echo "<table>";while($row = mysql_fetch_assoc($result)){  echo "<tr><td><b>".$row['name']."</b></td>";  echo "<td>".$row['value']."</td></tr>";}echo "</table>";?>

You also need to protect against SQL injection, it is a terrible idea to take things directly from GET or POST and use them in database queries (that's the point of the mysql_escape_string function above).  That's a great way to allow someone to delete your entire database.

<{POST_SNAPBACK}>

Good point about sql injection but is it really possible to delete something with a SELECT statement? :)Please only comment about my statement here http://w3schools.invisionzone.com/index.php?showtopic=4186so we don't hijack this post.

[justsomeguy]

Of course it's possible, you can run anything you want. If this is the code:$id = $_GET['id'];$sql = "SELECT * FROM table WHERE id=$id";Consider this:page.php?id=0%3BDELETE%20FROM%20table%20WHERE%201the query becomes:$sql = "SELECT * FROM table WHERE id=0;DELETE FROM table WHERE 1"