0

I'm having an issue and i can't seem to see where the error is in my code. I'm trying to update a variable total in my database using a ajax post function on my webpage. The function works as the alert is generated with the correct values when i click the button but my database is not updated. Here is the javascript function:

function buyeqc(){
  var total = $('#eqctotal').val();
  $.ajax({
        url:"buyeqc.php", //the page containing php script
        data: 'total='+total,
        type: "POST", //request type
        success:function(result){
        if (total < "1") {
        alert("Please enter a value greater than 0");
        } else if (total > "1") {
    alert("Thank you for your purchase of "+total+" EQC. Please refresh the page to view your updated balance.");
    }
   }
 });
 }

And here is the PHP script that it's posting to:

<?php

if (isset($_GET['total'])) {

session_start();
include_once 'dbh.inc.php';
$user = $_SESSION['u_uid'];
$eqcbal = $_SESSION['EQCBal'];
$total = $_GET['total'];
$sql = "UPDATE users SET EQCBal = '$total' WHERE user_uid = '$user';";
mysqli_query($conn, $sql);
}
?>

If you can point me in the right direction as to where my error is I would be greatful. I have a feeling it's something very simple or small! Thanks.

user3357649
  • 53
  • 1
  • 11
  • 2
    Your JS says your making a POST request, but your PHP is looking at GET variables. – Jonnix Jan 04 '18 at 17:14
  • Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) driver. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Jan 04 '18 at 17:19
  • Thanks for the input, I realise i should use prepared statements but i'm just trying to get a feel for how it works before diving into those. So i just changed my `$_GET` to `$_POST` or is this incorrect? It's still the same issue, alert is generated on the html page but it's not updating my database. – user3357649 Jan 04 '18 at 17:21

3 Answers3

1

It because $total in the your php file is NULL, You shold change it to 

`$total = $_POST['total'];`

When you send a post ajax request, data will store in $_POST

Ngo Tuan
  • 205
  • 1
  • 2
  • 16
  • Hi thanks - I have changed this as stated buy still the same issue. My database is not updating. Is it because `if (isset($_POST['total'])` is incorrect? can I remove this when sending a post ajax request? – user3357649 Jan 04 '18 at 17:24
  • Have u check the value of $total and $user in your php file? are them your expected value? – Ngo Tuan Jan 04 '18 at 17:40
  • @user3357649: (isset($_POST['total']) is correct. you can remove this when sending ajax post but you shouldn't. it will check for you if "$total"'s value is sent or not – Ngo Tuan Jan 04 '18 at 17:44
  • in the other hand, i think you are having a tiny mistake. in the alert block code in the success function, it use the total get from var total = $('#eqctotal').val();. not the total in you php file, so it don't prove that the php file will work – Ngo Tuan Jan 04 '18 at 17:49
0

You making a post request and php u have get request

Marvin Collins
  • 379
  • 6
  • 14
0

Thanks for the answers - it was the issue with having $_GET instead of $_POST. Also i was pointing to the wrong directory for my dbh.inc.php. Silly errors :) Thanks for the help!

user3357649
  • 53
  • 1
  • 11