-2

I am pretty new in PHP and I have the following problem passing a data from a form to a .php file that have to handle it.

So this is the form into the rendered page:

<form method="post" action="common/remove-booking_pc.php" class="ajax-form">
    <input id="id_booking" name="id_booking" value="5" type="hidden">

    <a href="/PandaOk/templates/default/common/remove-booking_pc.php" type="submit">
        <i class="fa fa-power-off"></i>
            Conferma
    </a>
</form>

It is what is shown looking into the browser code. As you can see it is passing a single data field, this:

<input id="id_booking" name="id_booking" value="5" type="hidden">

The passed value is 5.

So when I submit this form it is rendered by this file remove-booking_pc.php:

<?php
    $id_booking = $_POST['id_booking'];

    $result_remove_booking = $db->query("UPDATE pm_booking SET status= " . $id_booking);

?>

The problem is that the $id_booking is null and the $_POST is an empty array.

Why? What is wrong? What am I missing? How can I correctly pass this value?

Martin
  • 22,212
  • 11
  • 70
  • 132
AndreaNobili
  • 40,955
  • 107
  • 324
  • 596
  • 7
    You are not submitting the form, you would need a submit button. You are clicking a hyperlink, there is no `` – AbraCadaver May 03 '17 at 18:49
  • 1
    Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) prepared statements with bound parameters as described in [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Alex Howansky May 03 '17 at 18:50
  • 3
    Side note: Your query will update your entire db without a WHERE clause, unless that's what you want. – Funk Forty Niner May 03 '17 at 18:50
  • 2
    In short _You have a long way to go to complete this page_ – RiggsFolly May 03 '17 at 18:51
  • 1
    Possible duplicate of [Is it safe to use anchor to submit form?](http://stackoverflow.com/questions/7983076/is-it-safe-to-use-anchor-to-submit-form) – Don't Panic May 03 '17 at 18:56

2 Answers2

2

Your submit is an anchor, not a form submission, so the receiving page will never receive any POST data.

Simply replace your anchor with a button [or input] of the type submit and the form will be submitted as expected. 

<form method="post" action="common/remove-booking_pc.php" class="ajax-form">
    <input id="id_booking" name="id_booking" value="5" type="hidden">

    <button type="submit" class="fa fa-power-off" value="Submit">Conferma</button>

</form>

Other things you should be considering:

  • Your form is vulnerable to Cross Site Request Forgery [CSRF]

  • Your database is vulnerable to SQL injection. Use Prepared Statements.

  • As pointed out by Fred, your SQL (UPDATE pm_booking SET status=) currently will update every row in the table, without any qualification. Use WHERE in your SQL.

  • If dealing with file uploads, your HTML form should as best practise have an enctype value.

    <form enctype='multipart/form-data' ... >
Martin
  • 22,212
  • 11
  • 70
  • 132
  • 1
    *"Your HTML form should as best practise have an enctype value. Typically
    "* - This only applies when dealing with files. Edit: This comment as per http://stackoverflow.com/revisions/43767890/2
     – Funk Forty Niner May 03 '17 at 19:00
  • @Fred-ii- no worries. Although I'm not sure when there would be reasons *not* to use that enctype? – Martin May 03 '17 at 19:04
  • If files aren't being handled, why the extra keystrokes? Saving my fingers for playing more notes ♫ on my guitar ;-) – Funk Forty Niner May 03 '17 at 19:05
  • [I did read this](http://stackoverflow.com/questions/1039166/why-not-always-use-enctype-multipart-form-data), but as for keystrokes, I forget some people still type forms out manually, I have auto complete, I write `
    ` (obviously I adjust the action and add a name)
     – Martin May 03 '17 at 19:07
1

You need a Button to submit the form, in this case you are using a href hyper link. Example below:

<input type="Submit" name="Submit" value="Submit">
Don't Panic
  • 41,125
  • 10
  • 61
  • 80
yardie
  • 1,583
  • 1
  • 14
  • 29
  • 2
    *"OR Make it simple: "* - You should have left it the way it was; without that. Those only work in JS/ajax. Edit: This comment as per original post http://stackoverflow.com/revisions/43767893/1 – Funk Forty Niner May 03 '17 at 18:52