Creating an "Upvote" button using simple HTML form and PHP

Question

I'm trying to create a simple upvote button in an HTML form that uses PHP to update a MySQL database. I know there are better implementations with Ajax etc but I'm looking to just use simple HTML and PHP.

I've been able to update the database using input type="number" form element but can't update when I try changing it to input type="submit" with value=1.

HTML

<form action="send_formdata.php" method="POST">
     <label>Digs</label>
     <input type="submit" name="digs" id="digs" value=1>
</form>

PHP (in send_formdata.php)

<?php
    $link =     mysqli_connect("mysql.XXXXXX.com","XXXXX","XXXX","XXXXXX")  or die("failed to connect to server !!");
    mysqli_select_db($link,"XXXXXX");

        if(isset($_REQUEST['submit'])){
            $errorMessage = "";
            $digs=$_POST['digs'];

        if ($errorMessage != "" ) {
            echo "<p class='message'>" .$errorMessage. "</p>" ;
        }else{
            $insqDbtb="UPDATE `XXXXXXXX`.`coffee`
            SET digs = digs + '$digs' 
            WHERE name = 'Africa'";
            mysqli_query($link,$insqDbtb) or die(mysqli_error($link));
        }
    }

?>

MySQL Database Info:

Table name coffee

Column  Type
id  int(10) unsigned Auto Increment  
name    varchar(255)     
roaster varchar(255)     
digs    int(10) unsigned

nothing in here `if(isset($_REQUEST['submit'])){...}` will execute. — Funk Forty Niner, Jul 21 '15 at 20:09
you also don't need `mysqli_select_db($link,"XXXXXX");` you already have set the 4 parameters in your connection — Funk Forty Niner, Jul 21 '15 at 20:11
u are posting `$_REQUEST['submit']` but there is no input name `submit` in your HTML form so try with `$_REQUEST['digs']` — Shehary, Jul 21 '15 at 20:13
Don't pass user input direct to your query, this is how SQL injections occur. Use prepared statements or at minimum escape it. a) http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php b) http://php.net/manual/en/mysqli.real-escape-string.php Actual better solution `SET digs = digs + 1` since it will always increase by `1`. No need to even have user input here. — chris85, Jul 21 '15 at 20:14
show a person how to fish, I always say, and make them think as to which bait and hook to use — Funk Forty Niner, Jul 21 '15 at 20:19
Yes, DEFINITELY use prepared statements here. It's incredibly easy to alter the value of the submit button to whatever you want and post that to the sql query, allowing for sql injection. Take a look at this http://www.w3schools.com/php/php_mysql_prepared_statements.asp — Tony M, Jul 21 '15 at 20:20
so.... who's going to close 'er up? I'm just plain pooped out to write all this out. I think a double shot of espresso would be fitting. — Funk Forty Niner, Jul 21 '15 at 20:22
what happens if someone hacks the form and makes it `value="999999999"`? Boom, instant front-page. why can't it be just `digs=digs+1`? roundtripping the increment value through the client is just BEGGING for abuse. — Marc B, Jul 21 '15 at 20:23

score 1 · Accepted Answer · edited May 23 '17 at 11:51

Community Wiki because question was answered in comments.

You said that the code worked when you had input type="number". I suspect you most likely had a submit button with name="submit" that you later removed.

As a result, this statement is always false.

if(isset($_REQUEST['submit'])){

This is because your submit button has name="digs". So when you submit it, there is no $_REQUEST['submit']. Instead there will be $_REQUEST['digs'].

Your present code is open to SQL injection. Use mysqli with prepared statements, or PDO with prepared statements, they're much safer.

Creating an "Upvote" button using simple HTML form and PHP

1 Answers1