-1
<?php
  require ('navbar.php');
?>

<div class="container">
    <div class="row">
        <div class="well text-center">
            <h1>Sell Ticket</h1>
        </div>          

        <br>
        <br>

<?php 
// Create a login/logout link:
session_start();

// make sure user is logged in
if (!isset($_SESSION['umid'])) {
    header("Location: /sell-ticket-login");
}
if ($_SERVER['REQUEST_METHOD'] == 'POST') {

    require ("mysqli_connect.php");
    $errors = array();
    if (empty($_POST['section'])) {
        $errors[] = 'Your forgot to enter your section';
    } else {
        $sec = mysqli_real_escape_string($dbc, trim($_POST['section']));
    }

    if (empty($_POST['row'])) {
        $errors[] = 'Your forgot to enter your row';
    } else {
        $ro = mysqli_real_escape_string($dbc, trim($_POST['row']));
    }

    if (empty($_POST['seat'])) {
        $errors[] = 'Your forgot to enter your seat';
    } else {
        $sea = mysqli_real_escape_string($dbc, trim($_POST['seat']));
    }

    if (empty($_POST['price'])) {
        $errors[] = 'Your forgot to enter your price';
    } else {
        $pri = mysqli_real_escape_string($dbc, trim($_POST['price']));
    }
}

$g = $_GET['id'];
echo $g;
echo " ".$g;

if (empty($errors)) {

    // dont forget info about name. login
    $q1 = "INSERT INTO tickets 
                    (game_id, section, row, seat, price, date)  
            VALUES ('$g', '$sec', '$ro', '$sea', '$pri', NOW())";

    $r = mysqli_query($dbc, $q1);
    if ($r) {

        echo '<div class="row">
                    <div class="col-lg-4">
                    </div>
                        <div class="well well-sm col-lg-4">
                        <h4 class="text-center">Thank You! Your Ticket has been submitted</h4>
                    </div>
                </div>
                ';
    }

} else {

    echo '<h1>Error!</h1>
        <p class="error">The following error(s) occurred:<br />';
        foreach ($errors as $msg) { // Print each error.
            echo " - $msg<br />\n";
        }
            echo '</p><p>Please try again.</p><p><br /></p>';
}

mysqli_close($dbc);
 ?>

  <h2 class="text-center">Ticket Info</h2>

    <form action="sell-ticket.php" method="post">


        <div class="row">
            <div class="col-lg-4">
            </div>
            <div class="form-group col-lg-4">
                    <label for="text">Section:</label>
                    <input type="text" class="form-control" name="section">
                </div>
            </div>

            <div class="row">
            <div class="col-lg-4">
            </div>
                <div class="form-group col-lg-4">
                    <label for="text">Row:</label>
                    <input type="text" class="form-control" name="row">
                </div>
            </div>

            <div class="row">
            <div class="col-lg-4">
            </div>
                    <div class="form-group col-lg-4">
                    <label for="text">Seat:</label>
                    <input type="text" class="form-control" name="seat">
                </div>
            </div>

            <div class="row">
            <div class="col-lg-4">
            </div>
                <div class="form-group col-lg-4">
                    <label for="text">Price</label>
                    <input type="text" class="form-control" name="price">
                </div>
            </div>

            <div class="row">
            <div class="col-lg-4">
            </div>
                <div class="col-lg-4">
                    <button type="submit" class="btn btn-default">Submit</button>
            </div>
        </div>
    </form>
  <footer>
  <p>&copy; 2017 MichMarket, Inc.</p>
 </footer>

 </div>
 <!--/.container-->
 </body>

 </html>

For some reason, my query works but the only value that is not passed into my database is $g. I echo the value of $g for testing purposes, and it is displayed on my webpage. All of the other values are passed into my database correctly. I receive all of the other values from a html from and i receive $g through $_GET.

In my query when I change $g to be a specific value, it is passed into my database. Any thoughts on why this is not working why I want it to?

RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
ChaseRun
  • 21
  • 1
  • 7
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jul 12 '17 at 16:55
  • 1
    What is the value? What is the data type for that column? Why are you using SQL-injectable string interpolation instead of using query parameters and letting the database driver handle the data typing? – David Jul 12 '17 at 16:56
  • Can you post the entire code? – Joey Pinto Jul 12 '17 at 16:57
  • Where doo you get the value for $g? – Vagabond Jul 12 '17 at 17:02
  • from $_GET['id]. I write what the id is in a href on a different page and it is linked to this page. – ChaseRun Jul 12 '17 at 17:05
  • Some sensible code indentation would be a good idea. It helps us read the code and more importantly it will help **you debug your code** [Take a quick look at a coding standard](http://www.php-fig.org/psr/psr-2/) for your own benefit. You may be asked to amend this code in a few weeks/months and you will thank me in the end. – RiggsFolly Jul 12 '17 at 17:20
  • You cannot start a session AFTER you have sent something other than headers to the server – RiggsFolly Jul 12 '17 at 17:24
  • **Simple Rule 1:** Start the session as the **first** thing you do after the **first** ` – RiggsFolly Jul 12 '17 at 17:25
  • Good to know about starting sessions. Makes sense @RiggsFolly – ChaseRun Jul 12 '17 at 17:27
  • I'm also going to take a look at the coding standard. That's something that's something that I've been meaning to implement. Thanks for linking it @RiggsFolly – ChaseRun Jul 12 '17 at 17:29

1 Answers1

0

Figured out the issue. In my form, I linked it to a different url without the $id having a value, so $g didn't have a value when i submitted the query.

ChaseRun
  • 21
  • 1
  • 7