-1

What should be happening

  • I'm having problems with passing strings using ajax. What my code should do, is to grab the text from fields and pass it to "edit.php" where a query will update the database with recieved data.

What's happening

  • Data from the field is being recieved and then instantly sent to "edit.php", where a query updates the database with recieved values.

Where's the problem

  • While not having issues with sending numbers, all data in the field is integer, ajax(I guess) doesn't send data if it contains at least 1 character different from a number.

Example of my problem

  • THIS IS WITH NUMBERS

field1 = 123

field2 = 321

query : SUCCESS

  • THIS IS WHERE PROBLEMS OCCURE

field1 = 123a

field2 = 321a

query : FAIL

Ajax Code

<script text="text/javascript">
        $('#button_save').click(function(){ 
            var edited_message_id = document.getElementById('id_message_hidden').value; 
            var edited_title = document.getElementById('user_event_title').value;
            var edited_message = document.getElementById('user_message_input').value;
            alert(edited_title.concat(edited_message));
            if(confirm("Deseja editar esta mensagem?")){
                $.ajax({
                    url: 'edit.php',
                    type: 'post',
                    data: {idmensagem:edited_message_id,
                           newtitle:edited_title,
                           newmessage:edited_message,}
                });
            };
            return false;
        });
    </script>

edit.php

<?php
session_start();

include 'connect.php';

if (mysqli_connect_errno()) {
        echo "Failed to connect to MySQL: " . mysqli_connect_error();
    }


if(!isset($_SESSION['pass'])){ //if login in session is not set
    header("Location:index.php");
    }

$message_id = $_POST['idmensagem'];
$new_title = $_POST['newtitle'];
$new_message = $_POST['newmessage'];

$query_update = mysqli_query($con, "UPDATE tbl_mensagens SET title_text = $new_title, txt_mensagem = $new_message WHERE id_mensagem = $message_id");

?>
Pavlo Zakharuk
  • 115
  • 8
  • 2
    Can you check the datatypes for your fields on that table? – Hackerman Feb 13 '17 at 19:18
  • AJAX has no issue sending strings. Something else is causing the error. As Hackerman suggests, are you certain your columns should accept strings or are they some other type? Have you checked your server logs for any errors? – Mike Cluck Feb 13 '17 at 19:20
  • @Hackerman , In the beginning I thought the same. But I still can insert in the data base. I have a simple code that inserts what's in the fields. So the datatypes are correct. – Pavlo Zakharuk Feb 13 '17 at 19:22
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Feb 13 '17 at 20:08

1 Answers1

1

You need to put strings in quotes in the SQL:

$query_update = mysqli_query($con, "UPDATE tbl_mensagens SET title_text = '$new_title', txt_mensagem = '$new_message' WHERE id_mensagem = $message_id");

But it would be better to use a prepared statement, to avoid SQL injection problems.

$query_update = mysqli_prepare($con, "UPDATE tbl_mensagens SET title_text = ?, txt_mensagem = ? WHERE id_mensagem = ?");
mysqli_stmt_bind_param($query_update, "ssi", $new_title, $new_message, $message_id);
mysqli_stmt_execute($query_update);
Barmar
  • 741,623
  • 53
  • 500
  • 612