0

I have got a problem. This is my code for editing the article. I dont know why, but my UPDATE is not working. It just redirect to ../index.php. I've tried everything( Quotation mark and stuff too..).. Can u help me ? I just want to edit/update title and content. Code is below. Thanks so much.

editarticle.php

<?php

session_start();

include_once('../connect.php');
include_once('../includes/article.php');
header('Content-type: text/html; charset=utf-8');

if(isset($_SESSION["user_id"])){
 $query=$pdo->prepare("SELECT * FROM users WHERE id = " 
 .$_SESSION["user_id"] );
  $query->execute();
  $row=$query->fetch(PDO::FETCH_ASSOC);

  if($row['privileges']==1){
   $query = $pdo->prepare("SELECT * FROM `articles` WHERE article_id='" . 
   $_POST['id'] . "'");
   $query->execute();
   $row=$query->fetch(PDO::FETCH_ASSOC);
    var_dump($row);

     if(isset($_POST['editarticle'])){
      if(isset($_POST['title'], $_POST['content'])){
        $title= $_POST['title'];
        $content= nl2br($_POST['content']);

          $query= $pdo->prepare("UPDATE `articles` SET article_title=" 
     .$_POST['title'] .",article_content=" .$_POST['content'] ." WHERE 
      article_id='" . $_POST['id'] . "'");
          $query->execute();
          $row=$query->fetch(PDO::FETCH_ASSOC);

          header('Location: ../index.php');
       }
   }
  ?>

  <html>
   <head>
    <title>CMS Tutorial</title>
    <link rel="stylesheet" href="assets/style.css" />
  </head>
  <body>
  <div class="container">
    <br/>
    <h4>Upravit prispevok</h4>

    <?php if(isset($error)){
    echo $error;
    }?>
    <? $query = $pdo->prepare("SELECT * FROM `articles` WHERE article_id='" 
    . $_POST['id'] . "'");
    $query->execute();
    $row=$query->fetch(PDO::FETCH_ASSOC);
    ?>

    <form action="editarticle.php" method="post" autocomplete="off" 
     class="addarticle">
      <input type="text" name="title" value="<?php echo 
      ucwords($row['article_title']);?>"/><br/><br/>
      <textarea rows="15" cols="50"  name="content"><?php echo 
       ucwords($row['article_content']);?></textarea><br/><br/>
      <input type="submit" name="editarticle" value="Upraviť prispevok"/>
     </form>
    </div>
   </body>
   </html>

  <?php
} } else{
 header('Location: index.php');
}

?>
Samuel Synak
  • 19
  • 5
  • 1
    Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) driver. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Jan 03 '18 at 16:06
  • 2
    please please. use prepared statements. Not only would it prevent SQL injection, it'll avoid the pesky quoting issues – Rotimi Jan 03 '18 at 16:06
  • Prepared statements are especially important when content may include all sorts of stuff and will solve your problem (you need quotes round the values of title and content). – Nigel Ren Jan 03 '18 at 16:11

1 Answers1

1

This is not working because of the quotes, but the bigger problem is the query preparation in itself, please take a look at this

nano
  • 455
  • 4
  • 16