0

I have a problem in showing the alert box. This code for the rating star.

rating.js

$(document).ready(function(){
    $('.post li').mouseout(function(){  
        $(this).siblings().andSelf().removeClass('selected highlight')  
    }).mouseover(function(){
        $(this).siblings().andSelf().removeClass('selected');
        $(this).prevAll().andSelf().addClass('highlight');          
    })


    $('.post li').click(function(){
        $(this).prevAll().andSelf().addClass('selected');
        var parent = $(this).parent();      
        var oldrate =  $('li.selected:last', parent).index();

        parent.data('rating',(oldrate+1))
        data = new Object();
        data.id = parent.data('id');

        data.rating = parent.data('rating')

        $.ajax({
            url: "add_rating.php",// path of the file
            data: data,
            type: "POST",
            success: function(data) {    
            }
        });
    })  

    /* reset rating */
    jQuery('.post ul').mouseout(function(){ 
        var rating = $(this).data('rating');
        if( rating > 0) {
            $('li:lt('+rating+')',this).addClass('selected');
        }
    })
})

add_rating.php

<?php
include("dbconnection.php");
session_start();

$myid = $_SESSION['id'];

// echo "".$myid;

$sql_notification ="SELECT * FROM table_user_skills where user_id='$myid' and rating=5";
$result = $conn->query($sql_notification);
$count = 0;

while ($row=$result->fetch_assoc()) {
    if ($row['rating']==5) {
        $count = $count +1;
    }  
}

// echo "Count: ".$count;

if(!empty($_POST["rating"]) && !empty($_POST["id"])) {
    $myrate=$_POST["rating"];

    if($count<5){
        $query ="UPDATE table_user_skills SET rating='" . $_POST["rating"] . "' where rating_id='".$_POST['id']."'";
        $result = $conn->query($query);
        print '<script type="text/javascript">';
        print 'alert("Less than 5");';
        print '</script>';
    } else if($myrate<5){
        $query ="UPDATE table_user_skills SET rating='" . $_POST["rating"] . "' where rating_id='".$_POST['id']."'";
        $result = $conn->query($query);
        print '<script type="text/javascript">';
        print 'alert("Rate Less than 5");';
        print '</script>';
    }else if($count>5){
        print '<script type="text/javascript">';
        print 'alert("Lpas 5 stars");';
        print '</script>';
    }

    // $query ="UPDATE table_user_skills SET rating='" . $_POST["rating"] . "' WHERE skills_id='" . $_POST["skills_id"] . "'";
    // $query ="UPDATE table_user_skills SET rating='" . $_POST["rating"] . "' WHERE user_id='" . $_POST["userid"] . "' and skills_id='" . $_POST["id"] . "' and category_id='" . $_POST["category"] . "'";
}
?>

My problem is that the alert box is not showing. I have to limit the number of 5 stars being updated. If anyone could help me figure out what's wrong with my code, I would appreciate it.

Rasclatt
  • 12,498
  • 3
  • 25
  • 33
Seulgi Bear
  • 73
  • 1
  • 2
  • 10
  • 1
    Are you getting any response back from the AJAX call? Wouldn't it be easier to `print 'Less than 5'` and then in your AJAX success method, `alert(data);`? Right now you're returning that whole ` – neilsimp1 Jun 30 '16 at 15:50
  • that while() loop just to increment $count is a painful waste of resources. why can't you do `select count(*) ... rating=5`, or even just `$count = $result->rowcount`? – Marc B Jun 30 '16 at 15:50
  • 1
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jun 30 '16 at 15:53
  • im getting a response when i put alert box inside js near the success:function(data). but i dont know how to show the alert box from the external php file which i have put a lot of condition – Seulgi Bear Jun 30 '16 at 15:53
  • Jay Blanchard .. im new with php and javascript can you expand what do you mean by that? – Seulgi Bear Jun 30 '16 at 15:55
  • @JayBlanchard is saying don't add raw input into an sql statement like this: `"UPDATE table_user_skills SET rating='" . $_POST["rating"] . "' where rating_id='".$_POST['id']."'"`. Someone can put their own sql into the input and modify/damage/destroy your database table(s). – Rasclatt Jun 30 '16 at 15:57
  • i will try that neilsimp1 :) – Seulgi Bear Jun 30 '16 at 15:57
  • @Rasclatt what should i do? should i pass the $_post["rating"] first into a variale? – Seulgi Bear Jun 30 '16 at 15:58
  • You need to "bind" parameters or values. Look up "bind parameters." – Rasclatt Jun 30 '16 at 15:59
  • @Rasclatt like this ---> $stmt = $mysqli->prepare("INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)"); $stmt->bind_param('sssd', $code, $language, $official, $percent); $code = 'DEU'; $language = 'Bavarian'; $official = "F"; $percent = 11.2; /* execute prepared statement */ $stmt->execute(); – Seulgi Bear Jun 30 '16 at 16:03
  • im getting confused.. – Seulgi Bear Jun 30 '16 at 16:05
  • thanks for the response guys.. i will try all your suggestions :) please be with me – Seulgi Bear Jun 30 '16 at 16:06
  • Thanks.. @neilsimp1 your suggestion works.. thank you so much.. :) – Seulgi Bear Jun 30 '16 at 16:07
  • For now i need to try the bind parameters for a safety of my database :) – Seulgi Bear Jun 30 '16 at 16:08

1 Answers1

0

Look at the success callback function for your AJAX call - it's empty. You're having PHP print out the alert box code in the ajax call and then never doing anything with that output.

To make the alert show up, you would have to append the code your AJAX call returns to the DOM. However, it would probably be better to just return just the message and let the JavaScript code take care of raising the alert box. Just a simple alert(data) should do the trick.

Peter Geer
  • 1,132
  • 1
  • 6
  • 11