1

So I'm using sql with php but one variable doesn't work. The variable $pagina works in the $sql but not within the else {} ($sql2 and header). The other variables do work ($naam and $bericht). Can anyone spot the mistake?
(Sorry for any possible mistakes in my English.)

<?php
$bericht = $_POST ['bericht'];
$pagina = $_GET ['id'];
$naam = $_SESSION['login'];
$con = mysqli_connect("host","sql","pw","sql");

if (empty($bericht)) {
}
    else
    {
$sql2="INSERT INTO Comments (bericht_id, naam, bericht) VALUES ('$pagina', '$naam', '$bericht')";
mysqli_query($con,$sql2);
header("location:directbericht.php?id=$pagina");
    }

$sql="SELECT * FROM Berichten WHERE id = $pagina";

if ($result=mysqli_query($con,$sql))
  {
  while ($obj=mysqli_fetch_object($result))
    {
    echo $obj->naam;
    echo "<br><br>";
    echo $obj->bericht;
    echo "<br><br>";
    echo $obj->datum;
    echo "<br><br>";
    }
}

$sql="SELECT * FROM Comments WHERE bericht_id = $pagina ORDER BY id ASC";

if ($result=mysqli_query($con,$sql))
  {
  while ($obj=mysqli_fetch_object($result))
    {
        echo "<tr><td><font color='white'>";
    echo $obj->naam;
    echo "<br><br>";
    echo $obj->bericht;
    echo "<br><br>";
    echo $obj->datum;
    echo "<br><br>";
        echo "</font></tr></td>";
    }
}

?>
HerrFaust
  • 13
  • 2
  • I'm pretty sure it's because of the `font` tag or maybe the problem with quotes in the value causing an SQL injection, or that one value is GET and one is POST. No it's definitely the font tag.. – Lawrence Cherone Dec 24 '17 at 15:22
  • You mean redirect in else is not working? Add exit(); after header redirect. also use absolute path if required. – Naresh Kumar Dec 24 '17 at 15:23
  • First of all start binding sql params because currently your code is sql injection vulnerability. Read first answer in this question https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php. – Wolen Dec 24 '17 at 15:24
  • Yes and the insert is also not working, when I put a number after the "$pagina =" it does work but it doesn't work with the $_GET['id'];. – HerrFaust Dec 24 '17 at 15:26

1 Answers1

0

There are a couple major things wrong with your code.

The first, and most important to deal with is how you're inserting data into the database. As it is currently written, you are vulnerable to a SQL injection attack. Please read on how to use mysqli's bind parameters, or better yet, upgrade to PDO.

Secondly, you're trying to pull data using both $_POST[] and $_GET[] in the same logic path. An http connection will be either a post, get, or some other kind of request. It will never be both. This is likely why it works when you put a number in, but not when you try to use $_GET[].

Jacobm001
  • 4,431
  • 4
  • 30
  • 51