PHP file not able to read multiple parameters from Jquery ajax

Question

I have read multiple solutions to this problem, yet none of them seem to work for me. I have two files manageadmin.php and rejectaction.php . The manageadmin.php files provides a button to the user to reject a admin. when a person clicks on reject button admin status must be set to zero.

Here is my initial code

manageadmin.php

<script type="text/javascript">
$(document).ready(function()
    {
       /* reject */
       $(".reject_btn").click(function(){

         var element = $(this);
         var reject_id = element.attr('reject_id');
         $.ajax({
            type: "POST",
            url: "rejectaction.php",
            data: {reject_id:reject_id},
            success: function(){
                alert("Reject Successful");
                location.reload();
            }
         });

       });
    });
</script>

rejectaction.php

    $reject_id=$_POST['reject_id'];
    $reject_query="UPDATE tbl_admin set admin_status=0 where admin_id='$reject_id'";
    mysql_query($reject_query);

This works fine but then I realized that I needed this reject code for multiple pages. So I thought of passing the table name , column to be updated and column to be checked in where condition as parameters. This is the modified code:

<script type="text/javascript">
$(document).ready(function()
    {
       /* reject */
       $(".reject_btn").click(function(){

         var element = $(this);
         var reject_id = element.attr('reject_id');
         var tbl_name = "tbl_admin";
         var column_reject = "admin_status";
         var column_cond = "admin_id";
         $.ajax({
            type: "POST",
            url: "rejectaction.php",
            data: {reject_id:reject_id, tbl_name:tbl_name, 
                column_cond:column_cond,
                column_reject:column_reject},
            success: function(){
                alert("Reject");
                location.reload();
            }
         });

       });
    });
</script>

rejectaction.php

    $reject_id=$_POST['reject_id'];

    $tbl_name = $_POST['tbl_name'];
    $column_cond = $_POST['column_cond'];
    $column_reject = $_POST['column_reject'];

    $reject_query="UPDATE '$tbl_name' set '$column_reject' = 0 where '$column_cond'='$reject_id'";


// $reject_query="UPDATE tbl_admin set admin_status=0 where admin_id='$reject_id'";
    mysql_query($reject_query);

This code is not working (that is the status is not getting updated) . But the alert("Reject Successful") is getting executed. I am a beginner. Could anyone point out the mistake I have made? Thanks

***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Oct 24 '16 at 15:30
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, Oct 24 '16 at 15:30
Have you watched the AJAX request / response in the browser's developer tools? Have you included the jQuery library in the project? Are there any errors reported? Are you running this on a web-server? — Jay Blanchard, Oct 24 '16 at 15:30
Do yourself a favor, simply place a `print_r($_POST)` or `var_dump($_POST)` in the PHP page which receives the form submission. Fill out your form, submit and look closely at the data printed to the screen. Familiarize yourself with how form data is posted to scripts, including what gets passed and what doesn't. — Jay Blanchard, Oct 24 '16 at 15:31
Now that they properly advised you to not use mysql_*, you should check the result status of the query. Also check if the query is properly formed. — Leonardo Paglialunga, Oct 24 '16 at 15:31
Thank you all, The problem is solved but now I am learning how to prevent sql injection. — Janaky Murthy, Oct 24 '16 at 16:18
@JayBlanchard So should I not send client data that may affect the database via AJAX? Should I resort to using prepared statements? What if I want to use AJAX ? — Janaky Murthy, Oct 24 '16 at 18:05
They're two separate things. You can still send an AJAX request to a PHP script which uses prepared statements. — Jay Blanchard, Oct 24 '16 at 18:06
@JayBlanchard I am not able to understand. Could you please explain. SQL Injection happens when attacker injects something dangerous into the sql string. In this case we are passing only parameters. How can SQL Injection happen? I am able to understand that by using prepared statements we can bind parameters to variables. — Janaky Murthy, Oct 24 '16 at 18:17
[read this](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Jay Blanchard, Oct 24 '16 at 18:18
So I can still prevent sql injection by sending paramaters via AJAX if I combine the parameters with a compiled SQL statement rather than a plain string. Is my understanding correct? — Janaky Murthy, Oct 24 '16 at 18:25

cFreed · Accepted Answer · 2016-10-24T18:44:51.550

1

Apart from the (good) advices you received in comments [also look under this answer], your main issue here is probaly the fact that you wrapped $table_name, $column_reject, and $column_cond between quotes.

You should write:

$reject_query =
    "UPDATE $tbl_name set $column_reject = 0 where $column_cond='$reject_id'";

edited Oct 24 '16 at 18:44

answered Oct 24 '16 at 15:39

cFreed

4,404
1
23
33

Thanks for pointing out my mistake. That was really a silly mistake to make!! – Janaky Murthy Oct 24 '16 at 16:20
@JanakyMurthy Glad to help. So might you consider accepting my answer? – cFreed Oct 24 '16 at 16:25
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Oct 24 '16 at 18:07
@JayBlanchard Why this comment here? My answer only proposed the correction of the text of a query. More: I however also cited the "(good) advices received" about risk. – cFreed Oct 24 '16 at 18:32
Yes, you did cite the good advice. I just want to make sure that, while your answer is correct, we do not promote bad coding habits. – Jay Blanchard Oct 24 '16 at 18:34
1

@JayBlanchard Oh, ok. To be clear, I'd been a bit surprised due to the formula "_your_ script is at risk", while it's not mine! Now I understand your will, so I edited my answer to enforce the presence of the advice. – cFreed Oct 24 '16 at 18:47

PHP file not able to read multiple parameters from Jquery ajax

1 Answers1