0

So I have been trying at this for hours, and looked all over but cannot find a way to make it work. I know that the issue is related to _POST and _GET, however I can't seem to fix it. Every time I click the submit button, I get an error thrown that tells me my query has all of the information except for $ID, which is blank. When I echo above the statement, the ID is correctly retrieved from the URL and displays the correct number, however when I try to insert the variable into my query it inserts nothing. When I switch the isset statement to check for a value in id, it doesn't run, meaning id isn't defined in the _POST array. How could I make my query contain the ID as well as all the other data?

<?php

    require_once  'login.php';
    $conn = new mysqli($hn, $un, $pw, $db);
    if($conn->connect_error) die($conn->connect_error);

    $id="";

    if (isset($_GET["id"]))
        $id = $_GET["id"];

        echo "$id";

    if (isset($_POST['title']) &&
     isset($_POST['score']) &&
     isset($_POST['body']) &&
     isset($_POST['date']) &&
     isset($_POST['customer']))
     {
     $title = get_post($conn, 'title');
     $score = get_post($conn, 'score');
     $body = get_post($conn, 'body');
     $date = get_post($conn, 'date');
     $customer = get_post($conn, 'customer');
     $query = "INSERT INTO review VALUES" .

     "(NULL, '$title', '$score', '$body', '$date', '$id', '$customer')";
     $result = $conn->query($query);
     if (!$result){
        echo "INSERT failed: $query<br>" .
        $conn->error . "<br><br>";
     }else{
     header("Refresh: 0; URL= AddReviewSuccess.php");
     }
     }

    echo html......

    ......FORM DATA THAT HAS method='post'......

    ......end echo

    function get_post($conn, $var){
     return $conn->real_escape_string($_POST[$var]);
    }

?>
biagidp
  • 2,175
  • 3
  • 18
  • 29
C Peters
  • 1
  • 1
    Don't rely on `mysqli_real_escape_string()` to prevent SQL injection, [it alone is not sufficient](https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string). You should use prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) drivers. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Nov 08 '17 at 21:02
  • 2
    what's the form action ? or whats the url of the page above? –  Nov 08 '17 at 21:03
  • Please include your HTML as well. So, `echo "$id"` shows the correct value but that value is not included in `$query`? – showdev Nov 08 '17 at 21:03
  • you could post the id via a hidden form field - but that does not explain the issue you are having, its just an alternative –  Nov 08 '17 at 21:06
  • 1
    Show us your form action value. – Progrock Nov 08 '17 at 21:24
  • Instead of using `$_GET` with form Post, I would suggest to pass the GET value using input hidden field. – Mohammed Akhtar Zuberi Nov 08 '17 at 21:42

0 Answers0