Php dropdown list problems

Hi guys, I’m new to this and need some help please. I am starting this project for my school and and a bit lost as this is new to me and I have been going through a lot of google searched sites with no luck. I cannot seem to get this code to work for me. Please guys help me, pretty please… It has three dropdowns, first one is to select the students first name, then the second is for the surname and lastly the student ID. The actual problem is that I do get the unique list but not the surname list. I am able to see the selected value of the first name via the alert statement but end up with a blank 2nd and 3rd list.

//config.php DB Code
<?php
$db = mysqli_connect("localhost", "root", "", "students");
if (!$db) {
    die("Connection failed: " . mysqli_connect_error());
}
?>


//index.php code for student first dropdown selection
<select onChange="getstudentsurname(this.value);" name="studentfirstname" id="studentfirstname" class="form-control">
    <option value="">Select Student Name</option>
    <?php
    require_once "config.php";
    $result = mysqli_query($db, "SELECT DISTINCT studentfirstname FROM tbl_classreg");
    while ($row = mysqli_fetch_array($result)) {
    ?>
        <option value="<?php echo $row['studentfirstname']; ?>"><?php echo $row["studentfirstname"]; ?></option>
    <?php
    }
    ?>
</select>


//index.php code for student surname dropdown selection
<div class="form-group col-md-12">
    <select name="studentsurname" id="studentsurname" class="form-control">
        <option value="">Select Student Surname</option>
    </select>
</div>


//index.php code for student ID dropdown selection
<div class="form-group col-md-12">
    <select name="studentid" id="studentid" class="form-control">
        <option value="">Select Student ID</option>
    </select>
</div>

<script>
    function getstudentsurname(val) {
        $.ajax({
            type: "POST",
            url: "getstudentsurname.php",
            data: 'studentfirstname=' + val,
            success: function(data) {
                console.log(val);
                $("#studentsurname").html(data);
            }
        });
        $('#studentsurname').on('change', function() {
            var studentid = this.value;
            $.ajax({
                url: "getstudentid.php",
                type: "POST",
                data: {
                    studentid: studentid
                },
                cache: false,
                success: function(result) {
                    $("#getstudentid").html(result);
                }
            });
        });
    }
</script>


//getstudentsurname.php code
<?php
require_once "config.php";
$studentfirstname = $_POST["studentfirstname"];
$result = mysqli_query($db, "SELECT studentsurname FROM tbl_classreg where studentfirstname = $studentfirstname");
?>
<option value="">Select Student ID</option>
<?php
while ($row = mysqli_fetch_array($result)) {
?>
    <option value="<?php echo $row["studentsurname"]; ?>"><?php echo $row["studentsurname"]; ?></option>
<?php
}
?>


//getstudentid.php code
<?php
require_once "config.php";
$studentsurname = $_POST["studentsurname"];
$result = mysqli_query($db, "SELECT studentid FROM tbl_classreg where studentsurname = $studentsurname");
?>
<option value="">Select Student ID</option>
<?php
while ($row = mysqli_fetch_array($result)) {
?>
    <option value="<?php echo $row["studentid"]; ?>"><?php echo $row["studentid"]; ?></option>
<?php
}
?>

You are getting query errors, because the value being put into the WHERE clause is a string, but it is not enclosed within single-quotes, resulting in the database server trying to treat the value as a column name.

Three things -

  1. You should always have error handling for the database statements that can fail - connection, query, prepare, and execute. This would have alerted you to the problem. The easiest way of adding error handling, without adding code at each statement, is to use exceptions for errors and in most cases simply let php catch and handle the exception, where php will use its error related settings to control what happens with the actual error information (database statement errors will ‘automatically’ get displayed/logged the same as php errors.) You would then remove any existing error handling (for the connection), since it will no longer be executed upon an error, simplifying the code.
  2. Use a prepared query when supplying external, unknown, dynamic values to a query when it gets executed, so that any sql special characters in a value won’t break the sql query syntax, which is how sql injection is accomplished. This would actually solve the current problem since you would only be putting a prepared query place-holder ? into the sql query statement, rather than a php variable.
  3. Switch to the much simpler and more consistent PDO database extension. The mysqli extension is overly complicated and inconsistent, especially when dealing with prepared queries.

I have tried to change $studentfirstname to ‘$studentfirstname’ but it still not working

Sponsor our Newsletter | Privacy Policy | Terms of Service