I have to display a content based on their id but get id is not working. But I can see the url that it retrieves the id and it will change if I click the button. Should I force myself to use ajax or there is alternative way to retrieve the id? I really appreciate any help.
$viewquery= mysqli_query($connection,"SELECT * from orders");
while($row = mysqli_fetch_assoc($viewquery)) {
$id =$row['id'];
$full_name =$row['full_name'];
$email_address =$row['email_address'];
$contact_number =$row['contact_number'];
$address =$row['address'];
$user_id =$row['user_id'];
$reference_number =$row['reference_number'];
$additional =$row['additional'];
$payment_method =$row['payment_method'];
$transaction_status = $row['transaction_status'];
echo' <tr>';
echo '<td>';echo "<a href='#?idrequest=$id'><button type='button'
class='btn btn-primary' data-toggle='modal' data-target='#exampleModalLong'
data-formid='.$id.'>
$reference_number
</button></a>";
echo'</td>';
echo "
<td> $id </td>
<td> $full_name </td>
<td> $email_address </td>
<td> $contact_number </td>
<td> $address </td>
<td> $user_id</td>
<td> $additional </td>
<td> $payment_method </td>
<td> $transaction_status </td>
<td>
<a href='delete.php'>
<i class='material-icons' id='coloricon'>delete </i>
</a>
</td>
</tr>
";
}
?>
<div class="modal fade" id="exampleModalLong" tabindex="-1" role="dialog"
aria-labelledby="exampleModalLongTitle" aria-hidden="true">
<div class="modal-dialog" role="document">
<div class="modal-content">
<div class="modal-header">
<h5 class="modal-title" id="exampleModalLongTitle">Modal title</h5>
<button type="button" class="close" data-dismiss="modal" aria-
label="Close">
<span aria-hidden="true">×</span>
</button>
</div>
<div class="modal-body">
<?php
include("conn.php");
$idrequest = $_GET['idrequest'];
$query = "SELECT * from orders where id ='$idrequest'";
$result = mysqli_query($connection,$query);
$view = mysqli_fetch_assoc($result);
$details = $view['summary_all'];
echo $details;
?>
</div>
<div class="modal-footer">
<button type="button" class="btn btn-secondary" data-
dismiss="modal">Close</button>
<button type="button" class="btn btn-primary">Save changes</button>
</div>
</div>
</div>
This code above is for modal which I used bootstrap modal.
I really didn't want to write a post on this as there is so much going on that needs to be fixed but your immediate issue is
<a href='#?idrequest=$id'> .... </a>
This hashtag # or pound sign, will create what is called a URL fragment. Now you have to understand that fragments are client side only and are not sent to the server. So anything following the # will not be sent. Therefore there is no way to access this "pseudo" query string. So at the very least toss that #.
<a href='?idrequest=$id'> .... </a>
If you had error reporting turned on you would see a warning for an undefined index.
<?php
error_reporting(-1);
ini_set('display_errors', '1');
Because $_GET['idrequest'] doesn't exist, in this codes current form.
Beyond that, your SQL is wide open for SQLInjection, as I said in the comment if someone put the URL in with
$_GET['idrequest'] = "1' OR 1=1"
$idrequest = $_GET['idrequest'];
"SELECT * from orders where id ='$idrequest'"
Your SQL query is modified to this:
"SELECT * from orders where id ='1' OR 1=1"
Because 1 is always equal to 1 this "hack" will always return some rows. Therefor always use prepared statements.
Beyond that, if this is publicly accessible any user could simply iterate though your user table to look at orders from other users. These may include personal identifiable information, such as phone and address information. You could add the user_id into this search which should be a foreign key on this table anyway. That user id would then come from whatever system you are using for login (not user entered data). Which would only allow them to see their own orders.
I won't even touch on the styling/formatting issues, with wrapping a button in a link. Or this ad-hoc mixing of HTML and HTML in PHP strings, which make it a real challenge to read the code.
Or this
include("conn.php");
Which should be
require "conn.php";
include and require don't need the () and you should use require if the script won't execute without the included file. This being a DB connection, I would say things won't go as planed if that file is missing.
Cheers.