Comment id changing before being inserted into the database

Question

I have a form in which a user uses to comment on a post. Now the hidden input of this form is correct, it gets the correct 'streamidcontent' yet when I send it through ajax and into the database it always changes to the last created status id '4076' and adds it to that post at the very top of the feed. So I'm wondering, what I'm doing wrong.

streamdata_comments

1 comment_id int(11) No None AUTO_INCREMENT
2 comment_poster int(11) No None
3 comment_streamitem int(11) No None
4 comment_datetime datetime No None

FORM

<form id="mycommentform" method="POST"  class="form_statusinput">
<input type="hidden"  name="streamidcontent" id="streamidcontent" value="'.$streamitem_data['streamitem_id'].'">
<input type="input" name"content" id="content" placeholder="Say something" autocomplete="off">
<input type="submit" id="button" value="Feed">
</form>

COMMENT_ADD.PHP

<?php
session_start();
require"include/load.php";
error_reporting(E_ERROR | E_WARNING | E_PARSE | E_NOTICE);

if(isset($_POST['streamidcontent'])&isset($_POST['content'])){

        $content =  htmlspecialchars($_POST['content']);
        $streamid = htmlspecialchars($_POST['streamidcontent']);
            $content = preg_replace('/(?<!S)((http(s?):\/\/)|(www.))+([\w.1-9\&=#?\-~%;\/]+)/','<a href="http$3://$4$5">http$3://$4$5</a>', $content);

            $insert = "INSERT INTO streamdata_comments(comment_poster, comment_streamitem, comment_datetime, comment_content) VALUES (".$_SESSION['id'].",'$streamid',UTC_TIMESTAMP(),'$content')";


            $add_post = mysqli_query($mysqli,$insert) or die(mysqli_error($mysqli));
            }

AJAX

<script>
$(document).ready(function(){
$("form#mycommentform").submit(function(event) {
event.preventDefault();
var streamidcontent = $("#streamidcontent").val();
var content = $(this).children('#content').val();

$.ajax({
type: "POST",
url: "comment_add.php",
cache: false,
dataType: "json",
data: { streamidcontent: streamidcontent, content: content}, 
success: function(html){  
$("#containerid").html("<div class='stream_comment_holder' id='comment_holder_"+html['comment_streamitem']+"'><div id='comment_list_"+html['comment_streamitem']+"'><div class='stream_comment' id='comment_"+html['comment_id']+"'>div class='stream_comment_holder' id= style='display:;'><div class='stream_comment'><table width='100%'><tbody><tr><td valign='top' width='30px'><img class='stream_profileimage' style='border:none;padding:0px;display:inline;' border=\"0\" src=\"imgs/cropped"+html['id']+".jpg\" onerror='this.src=\"img/no_profile_img.jpeg\"' width=\"40\" height=\"40\" ></td><td valign='top' align='left'><a href='profile.php?username="+html['username']+"'>"+html['first']+" </a>"+html['comment_content']+"</td></tr></tbody></table></div></div></div></div>");
}
});
return false
});
});
</script>

AND MY OLD AJAX WHICH INSERTED FINE. But I need to add my like, dislike and delete button to this. So changed it to the above AJAX which doesn't work properly.

function addcomment(streamid,content,containerid,posterid,postername,postid){
var obj = document.getElementById(containerid);
$.post("../comment_add.php", { streamid: streamid,content:content} );
obj.innerHTML = obj.innerHTML + "<div class='stream_comment'><table width='100%'><tbody><tr><td valign='top' width='30px'><img style='border:none;padding:0px;height:30px;width:30px;border-radius:0px;' src='imgs/cropped"+posterid+".jpg' onerror='this.src=&quot;img/no_profile_img.jpeg&quot;;'></td><td valign='top' align='left'><a href='profile.php?username="+posterid+"'>"+postername+" </a>"+content+"</td></tr></tbody></table></div>";
}

score 2 · Answer 1 · edited May 23 '17 at 12:04

There are some strange things happening in your code:

$content =  $_POST['content'];
$content =  strip_tags($_POST['content']);

You are filling the $content variable twice with different values. The same goes for the id:

$streamid = $_POST['streamidcontent'];
$streamid = strip_tags($_POST['streamidcontent']);

I seriously doubt you should use strip_tags anyway before inserting it into the database. Just use htmlspecialchars() when you display it. Or use htmlpurifier when displaying it. Also you have a SQL Injection vulnerability in your application. Read more about preventing this here: How can I prevent SQL injection in PHP?.

With the code you have shared the new record will be assigned a new id. How did you check you got the same id everytime?.

Finally you can get the last inserted id in mysqli by doing:

echo $mysqli->insert_id;

after the query().

Also have you checked the rendered HTML to see what the id is in the first place?

I checked by running over the form with firebug. It shows the id of that post the user is commenting on. — dave, Aug 26 '12 at 12:29
$streamitem_data['streamitem_id'] always shows up as the POST you're commenting on id. When I scroll over each comment box in each post with firebug, the hidden input id changes to the posts unique id. So I know that is right. — dave, Aug 26 '12 at 12:41

score 2 · Accepted Answer · answered Aug 26 '12 at 12:24

2

Have you ever thought that the error might actually be your feed, and not the actual insert? Or it could be the AJAX?

To verify the insert is working or not, try:

echo $streamid;  // Shows you're getting the right value from AJAX.

$add_post = mysqli_query($mysqli,$insert) or die(mysqli_error($mysqli));
if($add_post) {
    $NewID = mysqli_insert_id(mysqli);
    $query = 'SELECT * FROM streamdata_comments WHERE comment_id=' . $NewID;  
    if ($result = mysqli_query($mysqli, $query)) {
        while ($row = $result->fetch_object()){
            var_dump($row);   // Check the actual input is as you expected.
        }
        mysqli_free_result($result);
    }
}

If using AJAX, you'll need to monitor results through one of the network tool (press F12 in Chrome, NET panel; or use Fiddler for Win or Charles for Mac)

answered Aug 26 '12 at 12:24

Robbie

17,605
4
35
72

Your code echos"4076"; which is the wrong id for the post I commented on. I've updated the original question with the AJAX. – dave Aug 26 '12 at 12:34
It could be the AJAX as I have my original piece of AJAX that works fine. Only I need to add some items to it with JSON, so changed it to the above. I still have the old AJAX code. Would you like me to post that? – dave Aug 26 '12 at 12:49
1

Ok, so now change the input from hidden to text, just to check it's right there. (you said it is inn the question, just worth double checking, and this is a visual way). Also check you only have one id ( streamidcontent, must be unique through the whole page, not just in the form) – Robbie Aug 26 '12 at 12:49
1

Yes, post the other Ajax, out check for differences. – Robbie Aug 26 '12 at 12:50
Yes the ID's are unique to the individual posts, added the old ajax. – dave Aug 26 '12 at 12:54
1

Is the id unique in the html? Do you have another div our input etc. with id="streamidcontent" ? – Robbie Aug 26 '12 at 13:02
Found the issue AGAIN. I don't have duplicate id's yet I had to change the streamidcontent to .children. And now its working fine. Thank you. – dave Aug 26 '12 at 13:08

Comment id changing before being inserted into the database

2 Answers2