0

I'm trying to create an upvote system where, after checking to see if you're logged in and after getting your userid, it checks if the table has your userid with the postid already in it and if it does then it means it was already upvoted. I just want to know what's wrong in my code, this is being used for learning, I don't need any complex thing.

Code:

    if (isset($_GET['upvote'])) {
        if ($_SESSION["loggedin"] == true) {
                $upvoteid = $_GET["upvote"];
                $servername = "";
                $username = "";
                $password = "";
                $dbname = "";

                // Create connection
                $conn = new mysqli($servername, $username, $password, $dbname);
                // Check connection
                if (!$conn) {
                        die("Connection failed: " . $conn->connect_error);
                } 

                $sql = "SELECT id FROM users WHERE username=".$_SESSION["loggedinusername"];
                $result = $conn->query($sql);

                if ($result->num_rows > 0) {
                        while($row = $result->fetch_assoc()) {
                                $userid = $row["id"];
                        }
                        $sql2 = "SELECT userid, postid FROM upvotedposts WHERE userid='".$userid."' AND postid='".$upvoteid."'";
                        $result2 = $conn->query($sql);

                        if (!$result2->numrows > 0) {
                                $sql = "UPDATE posts SET upvotes = upvotes + 1 WHERE id = ".$upvoteid;
                                if ($conn->query($sql) === TRUE) {
                                        echo "Sucessfully upvoted";
                                } else {
                                        echo "Error: " . $sql . "<br>" . $conn->error;
                                }
                        }
                } else {                                           
                        echo "Failed;
                }
                $conn->close();
        }

   }

When I do click the upvote button, it simply does nothing. The issue here is that as far as I know it looks like it would work but I may be forgetting something that I am unaware of or incorrectly using something.

Prince
  • 3
  • 5
  • 1
    Strings, like `$_SESSION["loggedinusername"]`, need to be quoted. You are wide open for SQL injection. Since you're using mysqli, take advantage of [prepared statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [bind_param](http://php.net/manual/en/mysqli-stmt.bind-param.php). This will also fix your pesky quoting issue. – aynber Jun 30 '17 at 18:32
  • Possible duplicate of [When to use single quotes, double quotes, and backticks in MySQL](https://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-backticks-in-mysql) – aynber Jun 30 '17 at 18:35
  • 1
    **WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](http://bobby-tables.com/). **NEVER** put `$_POST`, `$_GET` or **any** user data directly into a query, it can be very harmful if someone seeks to exploit your mistake. – tadman Jun 30 '17 at 18:41
  • Is *username* a string column? Is *userid* and *postid* integer columns? If so, your query assumes the opposite of these fields. – Parfait Jun 30 '17 at 20:14

1 Answers1

0

You are missing a closing "

echo "Failed;

should be:

echo "Failed";
The Codesee
  • 3,714
  • 5
  • 38
  • 78