replace div with php content

i have a div . when i click on any sub-element list-item, i am posting the item no. to a php file which displays a some details corresponding to that list item. but there are two problems :

first, i want to replace the div with the content of the php file.. second, i am getting an error while processing the php file :

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

the div looks like:

<div id="list">
            <?php

            $query = "SELECT * from workflow WHERE name = '$username' ORDER BY msg_id DESC";
            $result = mysql_query($query) or die("ERROR: $query.".mysql_error());

                while ($row = mysql_fetch_object($result)) {
                    echo "<div class=list-item-wrap>";
                    echo "<a href='#'><input class=msgid type=hidden value=".$row->msg_id."><div class=list-item>";
                    echo "<b><h1>".$row->subject."</h1></b>".substr($row->message, 0, 200)."...<br><b>".$row->sender."</b>";
   开发者_如何学C                 echo "</div></a></div>";
                }
            ?>
                <br>
            </div>


    </div>

the php file looks like:

<?php
include 'header.php';

$msg_id = $_POST['msg_id'];
//$msg_id = 1;

$query = "SELECT * from workflow WHERE msg_id = $msg_id";
$result = mysql_query($query) or die (mysql_error());
        //echo $row->username;

if (mysql_num_rows($result) > 0){
    while ($row = mysql_fetch_object($result)) {
        echo "<div id=display-wrap>";
        echo "<h1>".$row->sender."</h1><br>";
        echo "<h2>".$row->subject."</h2>";
        echo "<h3>".$row->datetime."</h3><br>";
        echo "<h3>".$row->message."</h3><br>";
        echo "</div>";
    }
}

?>

OK, i was looking around and found this question still unanswered after 2 months. Here goes.

First off: your query in the second file looks OK, if (and only if) $_POST['msg_id'] is a number. But since you're not doing any quoting or escaping or validation on the value here, you can't guarantee that. Set $msg_id like

$msg_id = intval($_POST['msg_id']);

to take care of that problem if msg_id should be an int. Anything that's not a number will become zero, allowing you to easily check for unset or invalid values if you care. (This assumes your IDs will never legitimately be zero, which is a valid assumption in a table with an auto_increment ID field.) If msg_id is anything besides numbers, you'll need to change the query to look like

$msg_id_sql = mysql_real_escape_string($msg_id);
$query = "SELECT * from workflow WHERE msg_id = '$msg_id_sql'";

Secondly: Check to make sure $username has a value, and that the HTML that's generated by the first script is correct. Also, you should escape it (using mysql_real_escape_string, as above) before using it in your query, especially if it came from the user. Since you didn't really post anything about that here, it's something you'll need to do yourself. What you're trying to do looks pretty odd, really...hidden fields aren't very useful unless you're submitting the form they're in (which would reload the page, defeating the purpose of all the ajax stuff).

Thirdly: To do the actual retrieval and replacement, i'd recommend jQuery. innerHTML is common, but not standard. Some browsers support it, some don't...and jQuery hides those differences (as well as hiding the complexity of handling async form posts and such). Sample jQuery code (which may or may not need minor changes; i don't have test stuff handy):

$.post('second_page.php',
    { msg_id: some_msg_id_to_retrieve },
    function(data) { $('#the_results_div_id').html(data); }
);

I don't intend to go into how to do it in vanilla JS. (I could if absolutely necessary, but eh -- it's like 4-5 times as much code, at least.) If you really want to do it without jQuery, google for XMLHttpRequest (for the retrieval part) and innerHTML (to replace the div's contents with your own stuff).

Fourth: mysql_query and friends are way, WAY past their prime, and should be dragged out and shot. (Whoever taught you to use them probably ought to be as well, considering he's become part of the problem. :P) Google for PDO (PHP Data Objects) and/or mysqli; both provide a feature known as "prepared statements" which allows you to separate your query and your data. That separation provides a number of benefits -- one being that you can build and run a query safely without having to worry much about what your data looks like. (As long as you're not one of those idjits that relies on magic quotes. If you do, frankly, you're pretty well screwed. Magic quotes do the wrong thing when you least expect it, making SQL injection pretty much unavoidable.)

Anyway, i prefer PDO, but either is better than the mysql functions.

Hmm, try cleaning up the SQL

$query = "SELECT * FROM `workflow` WHERE `name` = '$username' ORDER BY `msg_id` DESC";

It could also be the content you are putting in the variables $username.

As far as updating the div's content, AJAX is your easiest solution in my opinion.

In your query try to change

$query = "SELECT * from workflow WHERE name = '$username' ORDER BY msg_id DESC";

to

$query = "SELECT * from workflow WHERE name = '".$username."' ORDER BY msg_id DESC";

Same goes with the msg id also.