PHP refreshes the page before executing the query

Question

I'm creating a webpage that loads a random product from one table (the "Products" table) from my database every time the page reloads. The logged in user (the user must be logged in) can choose to add that product to their personal favorites or not (stored in the "Favorites" table). Every time the user clicks the corresponding button to add that product to their favorites the webpage reloads and shows another new random item. The problem is that the webpage probably reloads before the query is executed, so the 'new' item is added to their favorites instead. Does anyone know how I can solve this? This is what I got so far:

HTML

<form method="get">
    <button type="submit" name="like">
    <img class="add-to-favorites" src="image.png">
    </button>
</form>

PHP

header("Cache-Control: no-cache, must-revalidate");
session_start();
include_once 'dbconnect.php';

$user_id = ($_SESSION['user']);

$sSQLQuery = "SELECT product_id FROM Products ORDER BY RAND()";
$aResult = mysql_query($sSQLQuery);  
$aRow = mysql_fetch_array($aResult, MYSQL_ASSOC);
$productid = $aRow['product_id'];  


if(isset($_GET['like'])){
$SQL = "INSERT INTO Favorites(user_id,product_id)
VALUES('$user_id','$aRow[product_id]')";
$result = mysql_query($SQL);
}

score 0 · Answer 1 · edited May 23 '17 at 12:17

0

Firstly, PDO... Always :P.

But to answer your question, you need to send the product_id along with $_GET['like'], so you know which product they selected. Since you're randomly selecting one from the database on every load.

In its current state, that is your best option. But please consider moving to PDO especially since you mention logged in users and products.

How can I prevent SQL injection in PHP?

*Link credits to Sean (comment)

edited May 23 '17 at 12:17

Community

1
1

answered Dec 29 '15 at 22:35

Anees Saban

607
6
11

3

don't link to w3schools, when there is a better example on sql injection right here on SO - [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Sean Dec 29 '15 at 22:40
^^ Thanks, I looked up and found a few but they weren't good examples. – Anees Saban Dec 29 '15 at 22:45

score 0 · Answer 2 · answered Dec 29 '15 at 22:37

Your problem is that when the page refreshed, you first get new data from the Database and then save the old data - which is replaced by the new data.

Obviously you need to transfer the old product-id in the GET-Parameters. There are many options to do this, for example creating a hidden field.

echo "<input type=\"hidden\" name=\"oldProductId\" value=\"$productid\">

You can then access it when the page reloads with

$_GET['oldProductId']

and write it to the favorites-table.

Zeke · Accepted Answer · 2017-03-25T05:02:34.120

Well, actually your PHP code only gets a random item and then saves it if the user clicked like. You should output the product ID on the form like this:

<form method="get">
    <input type="hidden" name="current_product_id" value="<?php echo $productid; ?>">
    <button type="submit" name="like">
    <img class="add-to-favorites" src="image.png">
    </button>
</form>

Where <?php echo $productid; ?> has the ID of the new random product.

Your PHP should go in this order and with these values:

if(isset($_GET['like'])){
    $SQL = "INSERT INTO Favorites (user_id,product_id) VALUES ('$user_id','$_GET[current_product_id]')";
    $result = mysql_query($SQL);
}

$sSQLQuery = "SELECT product_id FROM Products ORDER BY RAND()";
$aResult = mysql_query($sSQLQuery);  
$aRow = mysql_fetch_array($aResult, MYSQL_ASSOC);
$productid = $aRow['product_id'];

So now, if you click on like, the $_GET['current_product_id'] will have the current product and then I output the new random product ID in the hidden input so that the next item works too!

Also: important, consider using mysqli_* functions instead of mysql_* functions because these last ones are deprecated :)

PHP refreshes the page before executing the query

3 Answers3