Rob Spoor wrote:For the SQL injection you should either use http://php.net/manual/en/mysqli.real-escape-string.php or preferably PDO.
For the JavaScript injection you should actually not set innerHTML at all. Instead your response should be something that is not HTML, like JSON, and then do some JavaScript magic to create the table instead. There you should set the text of elements, not the innerHTML. jQuery can be really useful there.
Rob Spoor wrote:By the way, your code is vulnerable for both SQL injection (getCustomer.php line 26) and XSS / JavaScript injection (NewInvoice.php line 31).
Ifraz Imanudeen wrote:Try having a Another column and use hyper Link.
On that page create the query
Alex gRin wrote: Please help get value on click from table using java script
I have a table generated from mysql query I have a code that highlight the row on the mouse click it the JavaScript but I also want to get the value of the cells from the row that is highlighted I tried doing different stuff but I always get an error value undefined.
Here is my code
in the JavaScript function I not only want to get the row highlighted but I also want to get the values of the cell in a row on mouse click
THANKS IN ADVANCE
Ron McLeod
Paul Clapham
Tim Holloway
Knute Snortum
Paul Clapham wrote:Well, like I said already, you're doing that calculation of IN and OUT and Res before you start looping through the ResultSet. I'm surprised that doesn't throw an exception but at any rate since you only do that calculation once, you can't expect to see different values for it in your output.
Paul Clapham wrote:Well, like I said already, you're doing that calculation of IN and OUT and Res before you start looping through the ResultSet. I'm surprised that doesn't throw an exception but at any rate since you only do that calculation once, you can't expect to see different values for it in your output.
Paul Clapham wrote:That code from line 14 to 21: you execute it before the first row of the ResultSet has been read, so it should throw an exception. However at lines 29 and 30 you have code which runs regardless of whether an exception was thrown, in effect ignoring the exception. I don't think you should be doing that, unless it's really true that it doesn't matter to 29 and 30 whether the SQL was processed correctly or not.
And in line 24 you create a new TableModel for each row of the ResultSet and add it to... something. Not sure what the something is but I suspect that you maybe should have only one TableModel.
Knute Snortum wrote:Also GROUPBY is GROUP BY (which is what I think Tim meant).
Tim Holloway wrote:Something important to note is that it is very dangerous to use upper/lower case in SQL database table and column names. Not all SQL DBMS's handle mixed case the same way and some have very strange ways of dealing with mixed case.
In SQLite, I believe that mixed case is handled literally, so you have to use the exact same case usage all the time, and thus, for example, OUTSTOCK would not match OutStock. What I recommend actually would be out_stock as the safest name, but lots of SqlLite projects do use mixed case.
And ORDER BY is 2 words. ORDERBY is invalid.
Ron McLeod wrote:I don't have a complete answer, but here are some issues that I can see:
- For INSTOCK and OUTSTOCK, you probably want COUNT() rather than SUM()
- StockStatus is an INTEGER, but you are trying to match to 'IN' and 'OUT'
- Missing ON in JOIN statement
- Its GROUP BY not GROUPBY
- You are referencing a placeholder in your PreparedStatement (PIN.setString(1, ...)), but there is no placeholder defined
- I don't think you can SUM two aliases as you have specified. Why not just calculate INSTOCK - OUTSTOCK in your code?
Ifraz Imanudeen wrote:
Below is the OUPUT ERROR for above;