0

I use this Javascript to post data from different variables to a php file that updates a Mysql database:

$.ajax({
        url: "createchild.php",
        type: 'POST',
        data: ({ATU:ATUv,AM:AMv,ATS:ATSv,segment:segmentv,acrcat:acrcatv,owner:childowner,topparent:childtp}),
        success: function(msg) {
            console.log(msg);
    }

Then this gets sent to the createchild php file:

 <?php
header('Content-type: text/plain; charset=utf-8');
$servername = "xxxxxxxxxxxxx";
$username = "xxxxxxxxxxxxxxxxxxxx";
$password = "xxxxxxxxxxxxxxx";
$dbname = "xxxxxxxxxxxxx";

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
} 
$sql ="INSERT INTO tablename (top_parent, qualified,retry,partner_attached,partner_name,migration,sap,AM,ATS,ATU,owner,engagement,segment,acr_cat,childtp) 
VALUES ('" . $_POST['childname'] . "','No','Unknown','No','Unknown','Not Qualified','Not Qualified','" . $_POST['AM'] . "','" . $_POST['ATS'] . "','" . $_POST['ATU'] . "','" . $_POST['owner'] . "','No','" . $_POST['segment'] . "','" . $_POST['acrcat'] . "','" . $_POST['topparent'] . "'); ";

if ($conn->multi_query($sql) === TRUE) {
    echo "New record created successfully";
    echo "".$_POST['childname']."";

} else {
    echo "Error: " . $sql . "<br>" . $conn->error;
    echo "".$_POST['childname']."";
}

$conn->close();
?>

The query runs successfully and a line gets created in my database. However all the columns where I use "$_POST['xx']" are empty, so no data gets passed on to the php file it seems.

All the variables in the js file (AMv, ATUv, ATSv...) do contain data (i've checked with an alert) but the php file can't seem to read the post.

Any idea why and where the data gets stuck?

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
cmplieger
  • 7,155
  • 15
  • 55
  • 83
  • is $_POST['childname'] actually set/sent? – JasonB Jan 15 '18 at 03:04
  • @JasonB damn... no it seems not to be sent, thank you! I've been trying to debug this for 30 min and adding it solved it! If you post this as an answer I will accept it. – cmplieger Jan 15 '18 at 03:17
  • Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). – John Conde Jan 15 '18 at 03:17
  • Glad to hear it, and for goodness sake listen to @JohnConde – JasonB Jan 15 '18 at 03:18
  • Thank you @JohnConde , it is an internal, temporary and non critical application so security not that crucial. Nevertheless once i get it running i will look into it. – cmplieger Jan 15 '18 at 03:19

0 Answers0