2

I am trying to make a discussion forum where people ask questions and other reply. I am also trying to make a provision where people can reply to a reply(like that in facebook). But when I am trying add the reply id to the table of reply-to-a-reply, every time the reply id goes 0. I tried to echo the reply id, it shows me the correct id but whenever I am trying to add it to the database the reply id goes 0. I am passing the id of a reply id as follows:

while($reply=mysql_fetch_array($rep))
{
    $rid=$reply['rid'];
    echo "<form method='POST'>";
    $e=$reply['email'];
    $rid=$reply['rid'];
    echo "<input type='hidden' value='$e' name='report_user'>";
    echo "<input type='hidden' value='$rid' name='report_id'>";
    $q="SELECT fname,lname FROM register WHERE email='$e'";
    $sql=mysql_query($q);
    $r=mysql_fetch_array($sql);
    echo "<b>".$r[0]." ".$r[1]." - </b>".$reply['reply']."&nbsp;<input type='submit' formaction='report.php' value='X' title='Report Post' class='imgR' name='sub'>";
    if($e!=$email)
        echo "<input type='submit' name='reply_t' formaction='r.php' value='Reply' title='reply' class='imgRl' name='sub'><input type='hidden' name='rid' value='$rid'><br><br>";

Now the reply-to-a-reply goes by pressing the button "Reply" as a formaction to 'r.php'. r.php receives reply id as follows:

$rid=$_REQUEST['rid'];
$reply=$_REQUEST['reply'];
$email=$_SESSION['email'];
if(empty($reply))
    $flag=0;
else{
    $query="INSERT INTO reply VALUES('','$reply','$email','$rid','')";
    mysql_query($query);
    $flag=1;
}

Please tell me what to rectify here

RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
Shivangi
  • 95
  • 1
  • 2
  • 9
  • 2
    FYI, [you shouldn't use `mysql_*` functions in new code](http://stackoverflow.com/questions/12859942/). They are no longer maintained [and are officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). See the [red box](http://php.net/manual/en/function.mysql-connect.php)? Learn about [*prepared statements*](https://en.wikipedia.org/wiki/Prepared_statement) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://php.net/manual/en/mysqlinfo.api.choosing.php) will help you decide which one is best for you. – John Conde Apr 24 '17 at 12:55
  • 2
    Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). – John Conde Apr 24 '17 at 12:55
  • 2
    You don't know what's wrong because you don't check for errors in your code. Never assume the code is always going to work flawlessly. Use [`mysql_error()`](http://php.net/manual/en/mysql.error.php) to get a detailed error message from the database. – John Conde Apr 24 '17 at 12:55
  • @JohnConde please tell me how to use mysql_error() and where to use it. – Shivangi Apr 24 '17 at 14:52

1 Answers1

0

use $_POST super global array get report id,Put another attribute called action in form tag. like show in below,

$rid=$_POST['report_id'];

kalsara Magamage
  • 263
  • 2
  • 16