1

I'm making a comment system and I would like the ability for a user to edit them. I have already made a posting system that works and a deletion system that works. When I try to update the post though it redirects me to the ?edit_success url. It just doesn't update the post however.

The form that takes the user to the update page.

<form class='edit-form' method='POST' action='editmessage.php'>
                <input type='hidden' name='cid' value='".$row['cid']."'>
                <input type='hidden' name='uid' value='".$row['uid']."'>
                <input type='hidden' name='date' value='".$row['date']."'>
                <input type='hidden' name='content' value='".$row['content']."'>
                <button>Edit</button>
            </form>

After the form is submitted it goes to this php file

<?php include('header.php'); ?>

    <body>
        <div class="container">
        <?php

        $cid = $_POST['cid'];
        $uid = $_POST['uid'];
        $date = $_POST['date'];
        $content = $_POST['content'];

  echo "<form method='POST' action='includes/edit_post.inc.php'>
        <input type='hidden' name='uid' value='".$_SESSION['username']."'>
        <input type='hidden' name='date' value='".date(' Y-m-d  ')."'>
        <textarea class='ckeditor' name='content2'></textarea>
        <br>
        <button type='submit' class='btn btn-default' name='submit_vault_edit'>Edit</button>
    </form>";
?>
            </div>

    <?php include('footer.php'); ?>

After this form is entered it goes to the php script that updates post

<?php
include 'dbh.php';

    if (isset($_POST['submit_vault_edit'])) {
        $cid = $_POST['cid'];
        $uid = $_POST['uid'];
        $date = $_POST['date'];
        $content = $_POST['content2'];

        $sql = "UPDATE vaults SET content='$content' WHERE cid='$cid'";
        $result = mysqli_query($conn, $sql);

        header("Location: http://www.generationdiary.com/user_vault.php?editsuccess");
    }

All my database connections are correct and everything is set up in that sense I just think I have a problem in my last bit of code (Code Block 3)

cosmichero2025
  • 1,029
  • 4
  • 14
  • 37
  • 1
    You have not pass `$cid` from post method!! – Saty Apr 14 '17 at 07:29
  • OMG!!! How did I miss that thank you good sir! – cosmichero2025 Apr 14 '17 at 07:31
  • 1
    never trust data coming from users -> you should **really** consider using [PPS : Prepared Parameterized Statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). This will help [Preventing SQL injection](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). It helps also to use `error_reporting(E_ALL); ini_set('display_errors', 1);` on top of your pages and let PHP warn you. As stated by @Saty, it seems like you miss a $var – OldPadawan Apr 14 '17 at 07:31

1 Answers1

1

You have not pass cid value from second part of code.

you can add it as

<input type='hidden' name='cid' value='".$cid."'>

Your code is open for valnurable sql injection

Check How can I prevent SQL injection in PHP? to prevent it.

Community
  • 1
  • 1
Saty
  • 22,443
  • 7
  • 33
  • 51
  • Oh I was actually going to ask about that but the textarea that I use uses ckeditor to style the posts so when i use mysqli_real_escape_string on it the user would see the styling tags with their text. Oh and I already have protection from that on my log in/registration forms this is the only one that doens't. – cosmichero2025 Apr 14 '17 at 07:39
  • instead of `mysqli_real_escape_string` you can use [Prepare Statement](http://php.net/manual/en/mysqli.prepare.php) – Saty Apr 14 '17 at 07:42