0

I have this update php file that either updates a row in a database or deletes it. The php file works fine. However when I add an ajax function to the main html page so that it can make the changes without refreshing the page it doesn't execute the php file properly. When I remove the ajax it works again. When I remove the "if isset.." clause and the functions that are related to the "delecontact" and use the ajax function on the main page again it works fine. Is there an error in the response because I am deleting the row and so not getting back any response? Also I am aware that I am susceptible to SQL injection, I'm reading up on PDO's and will update my code when I have a better understanding. 

<!doctype html>
<html>
<head>
<meta charset="UTF-8">
<title>Untitled Document</title>
</head>

<body>

<?php

$servername = "localhost";
$username= "root";
$dbpassword = "";
$dbname="test";
$db=mysqli_connect($servername, $username, $dbpassword, $dbname);
if(!$db){
    die("could not connect:".mysqli_connect_error());   
} else{

        echo ("success");
        $id=test_input($_POST['id']);
        $firstname=test_input($_POST['firstname']);
        $lastname=test_input($_POST['lastname']);
        $pcat=test_input($_POST['pcat']);
        $congroup=test_input($_POST['congroup']);
        $cattype=test_input($_POST['cattype']);
        $company=test_input($_POST['company']);
        $position=test_input($_POST['position']);
        $email=test_input($_POST['email']);
        $website=test_input($_POST['website']);
        $phone= test_input($_POST['phone']);
        $mphone=test_input($_POST['mphone']);
        $wphone=test_input($_POST['wphone']);
        $fax=test_input($_POST['fax']);
        $add1=test_input($_POST['add1']);
        $add2=test_input($_POST['add2']);
        $city=test_input($_POST['city']);
        $state=test_input($_POST['state']);
        $zip=test_input($_POST['zip']);
        $country=test_input($_POST['country']);
        $reference=test_input($_POST['reference']);
        $entrydate=test_input($_POST['entrydate']);
        $enteredby=test_input($_POST['enteredby']);
        $notes=test_input($_POST['notes']);

if (isset($_POST['insert'])){
        $rtninfo = updateContact($db, $id, $firstname, $lastname, $pcat, $congroup ,$cattype, $company, $position,$email, $website, $phone, $mphone, $wphone, $fax, $add1, $add2, $city, $state, $zip, $country, $reference, $entrydate, $enteredby, $notes);
}else if (isset($_POST['delete'])){
        $rtninfo= deleteContact($db, $id, $firstname, $lastname, $pcat, $congroup ,$cattype, $company, $position,$email, $website, $phone, $mphone, $wphone, $fax, $add1, $add2, $city, $state, $zip, $country, $reference, $entrydate, $enteredby, $notes);


}
        if ($rtninfo == "ContactNotFound")
        {
            print "<p style='color: red'>Contact Not Found - Check SSN</p>";

        } else {
            if ($rtninfo == "NotUpdated")
            {
                print "<p style='color: red'>Contact Not Updated</p>";
            } else {
                print "<p style='color: green'>Contact has been Changed";
            }
        }
    }

?>  

<?php

function updateContact($db, $id, $firstname, $lastname, $pcat, $congroup ,$cattype, $company, $position,$email, $website, $phone, $mphone, $wphone, $fax, $add1, $add2, $city, $state, $zip, $country, $reference, $entrydate, $enteredby, $notes)
{

    //First check if SSN exists

    $sql_statement  = "SELECT id, firstname, lastname, pcat, congroup, cattype, company, position, email, website, phone, mphone, wphone, fax, add1, add2, city, state, zip, country, reference, entrydate, enteredby, notes ";
    $sql_statement .= "FROM contacts ";
    $sql_statement .= "WHERE id = '".$id."' ";
    $result = mysqli_query($db, $sql_statement);  // Run SELECT

    $numresults = mysqli_num_rows($result);
    echo($numresults);



    // If SSN exists then Update the Contact Info

    if ($numresults > 0)
    {
        $statement="UPDATE CONTACTS ";
        $statement.= "SET firstname='".$firstname."', ";
        $statement.="lastname='".$lastname."',";
         $statement.="pcat='".$pcat."',";
         $statement.="congroup='".$congroup."',";
        $statement.= "cattype='".$cattype."',";
        $statement.= "company='".$company."',";
        $statement.= "position='".$position."',";
        $statement.= "email='".$email."',";
        $statement.= "website='".$website."',";
        $statement.= "phone='".$phone."',";
        $statement.= "mphone='".$mphone."',";
        $statement.= "wphone='".$wphone."',";
        $statement.= "fax='".$fax."',";
        $statement.= "add1='".$add1."',";
        $statement.= "add2='".$add2."',";
        $statement.= "city='".$city."',";
        $statement.= "state='".$state."',";
        $statement.= "zip='".$zip."',";
        $statement.= "country='".$country."',";
        $statement.= "reference='".$reference."',";
        $statement.= "entrydate='".$entrydate."',";
        $statement.= "enteredby='".$enteredby."',";
        $statement.= "notes='".$notes."' ";
        $statement .= "WHERE id='".$id."' ";




        $result = mysqli_query($db, $statement);

        if ($result)
        {
            return $id;
        } else {
            $errno = mysqli_errno($db);

            echo("<h4>MySQL No: ".mysqli_errno($db)."</h4>");
            echo("<h4>MySQL Error: ".mysqli_error($db)."</h4>");
            echo("<h4>SQL: ".$statement."</h4>");
            echo("<h4>MySQL Affected Rows: ".mysqli_affected_rows($db)."</h4>");

            return 'NotUpdated';
        }
    } else {

        return 'ContactNotFound';
    }
    mysqli_close($db);
}
function deleteContact($db, $id, $firstname, $lastname, $pcat, $congroup ,$cattype, $company, $position,$email, $website, $phone, $mphone, $wphone, $fax, $add1, $add2, $city, $state, $zip, $country, $reference, $entrydate, $enteredby, $notes)
{

    //First check if SSN exists

    $sql_statement  = "SELECT id, firstname, lastname, pcat, congroup, cattype, company, position, email, website, phone, mphone, wphone, fax, add1, add2, city, state, zip, country, reference, entrydate, enteredby, notes ";
    $sql_statement .= "FROM contacts ";
    $sql_statement .= "WHERE id = '".$id."' ";
    $result = mysqli_query($db, $sql_statement);  // Run SELECT

    $numresults = mysqli_num_rows($result);
    echo ($numresults);


    // If SSN exists then Update the Contact Info

    if ($numresults > 0)
    {
        $statement="DELETE FROM CONTACTS ";
        $statement .= "WHERE id='".$id."' ";




        $result = mysqli_query($db, $statement);

        if ($result)
        {
            return $id;
        } else {
            $errno = mysqli_errno($db);

            echo("<h4>MySQL No: ".mysqli_errno($db)."</h4>");
            echo("<h4>MySQL Error: ".mysqli_error($db)."</h4>");
            echo("<h4>SQL: ".$statement."</h4>");
            echo("<h4>MySQL Affected Rows: ".mysqli_affected_rows($db)."</h4>");

            return 'NotUpdated';
        }
    } else {

        return 'ContactNotFound';
    }
    mysqli_close($db);
}   

function test_input($data){

    $data=trim($data);
    $data=stripslashes($data);
    $data=htmlspecialchars($data);
    return $data;   
    }
?>
</body>
</html>

main form 
<form action="contactsinsert.php" id="frmBox2" method="post" onsubmit="return formUpdate();">
  <table style="width:100%">
  <tr>
  <input type="text" name="id" id="id size="20" />
  </tr>
  <tr>
    <td>First Name: </td>
    <td><input type="text" name="firstname" class="inp" size="20" required /></td>
    <td>Last Name: </td>
    <td><input type="text" name="lastname" class="inp" size="20"  required /></td>
  </tr>


  <tr>
    <td><input type="submit" name="insert" class="sub-btn" value="insert"></td>
  </tr>

      <h3 id="success"></h3>
</table>

    </form>

ajax function on main page

  function formUpdate(){
    $.ajax({
    type:'POST',
    url:'contactsupdate.php',
    data:$('#frmBox2').serialize(),
    success:function(response){
    $('#success').html(response);
        }
        });
    var form=document.getElementById('frmBox2').reset();
     window.location.reload();
    return false;
            }
Pari Baker
  • 37
  • 1
  • 7
  • It seems that you get the data to send through `$('#frmBox2').serialize()` but your form has id `frmBox` – quirimmo Aug 15 '17 at 17:53
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Aug 15 '17 at 17:54
  • im sorry that was a mistake when copying the form, I will edit now. – Pari Baker Aug 15 '17 at 18:00
  • I dont see how you code ever calls the delete method because it doesn't looks like `$_POST['delete']` is ever going to be set. – Amit Joshi Aug 15 '17 at 18:01
  • when the delete button is clicked is it not set? – Pari Baker Aug 15 '17 at 18:03
  • The problem is, if I remove the onsubmit function on the form, the insert and delete buttons work as they should. One updates and one deletes. When I add the function back neither button does anything. When I add the ajax function on submit ="formUpdate();" and remove the deletecontacts function from the update php file the insert button works fine again. – Pari Baker Aug 15 '17 at 18:10

0 Answers0