user input isn't being read from html form using php

Question

I am getting an error in my code where essentially my user input isn't being read and I'm not sure why. I used isset and it skips over, that means that the user input isn't being read in right? Any ideas as to why not? For reference when I submit the form I get another error which says ' Notice: Undefined variable: bound in C:\xampp\htdocs\editartist.php' but I think thats down to fact that when you search you no longer have the id anymore. I've left a bit of code to show.

<?php
if(isset($_GET['id']))
{   
    $artistID = fix_string($_GET['id']);
    $sql = ("SELECT artName FROM artist WHERE artID = '$artistID' ");
    $result = $conn->prepare($sql);
    $result->execute();
    $result->bind_result($bound);
    $result->fetch();
}
else {
    echo "this is broken";
}
?>
<form method="post" action="editartist.php"/>
<?php echo '<input type="text" name="artistname" value= "'.$bound.'">' ?>
<input type="submit" value="Save"/>
</form>

<?php   
if(isset($_GET['id'])) {
    if(isset($_GET['artistname'])) {
    $userinput = $_GET['artistname']; 
    echo "$userinput $artistID";
    $sqltwo = ("UPDATE artist SET artName='$userinput' WHERE artID='$artistID'");
    $stmt = $conn->prepare($sqltwo);
    $stmt->execute();
    } else {
        echo "this is broken 2";
    }
    }
?>

This isn't a duplicate, its not asking about the 2nd error. The primary question is why the user input isn't being read?

you have to pass the id on submit `action="editartist.php?id="` and what is that `$bound` variable? — Chinito, May 05 '17 at 01:07
he is sending with post request, and listening to GET request it will not work that way :) — Hatem Ahmed, May 05 '17 at 01:13
Also, filter your input!! If artistID is "fake'; drop table artist" and you run your first query you won't have a table 'artist' anymore. Watch for code injections! — patrick, May 05 '17 at 01:20
the id comes from the page name http://localhost/editartist.php?id=6 — Chunelle, May 05 '17 at 01:45
the bound variable is used to put the preexisting value into the form — Chunelle, May 05 '17 at 01:46

Hatem Ahmed · Answer 1 · 2017-05-05T01:55:19.027

because you are using POST method in the html form, while in php is waiting for GET Method

i rewrote your code assuming you are sending the ID in Get request as below

    <?php
if(isset($_GET['id']))
{   
    $artistID = fix_string($_GET['id']);
    $sql = ("SELECT artName FROM artist WHERE artID = '$artistID' ");
    $result = $conn->prepare($sql);
    $result->execute();
    $result->bind_result($bound);
    $result->fetch();
}
else {
    echo "this is broken";
}
?>
<form method="post" action="editartist.php"/>
<?php echo '<input type="text" name="artistname" value= "'.$bound.'">' ?>
<input type="submit" value="Save"/>
</form>

<?php   
//no need to check for the id here , assuming you are posting data now.and you //already checked at the top of script for $_GET['id']
    if(isset($_POST['artistname'])) {
    $userinput = $_POST['artistname']; 
    echo "$userinput $artistID";
    $sqltwo = ("UPDATE artist SET artName='$userinput' WHERE artID='$artistID'");
    $stmt = $conn->prepare($sqltwo);
    $stmt->execute();
    } else {
        echo "this is broken 2";
    }

?>

you need to consider sanitize Sanitize filters

and properly binding params :)

this hasn't worked, would sanitizing filters or binding params fix my issue, or is that just something i should do — Chunelle, May 05 '17 at 01:52
you need to write full scenario what are you doing., no sanitizing and binding params will secure your app only . — Hatem Ahmed, May 07 '17 at 08:35

user input isn't being read from html form using php

1 Answers1