-1

Hello for some reason job_id will not parse from myjobs.php to payment.php and I really cannot see how.Does anyone know why this may be?Similar files seem to work but for some reason this wont I am thinking maybe because I also have html code on payment.php which i haven't done before?

<?php while($row = mysqli_fetch_array($result)):?>
    <tr>

        <td><?php echo $row['job_id']; ?></td>
        <td><?php echo $row['title'];?></td>
        <td><?php echo $row['description'];?></td>

        <td><?php if($row['accepted']==1 AND $row['start_escrow']==0):?><form action = "payment.php">
        <input type="hidden" value="<?php echo $row['job_id']?>" name="job_id" />
        <input type="submit" class="btn btn-xlarge btn-block btn-primary" value ="Start Escrow"></input></input><?php endif; ?></td>

        <td><?php if($row['start_escrow']==1):?><form action = "review.php">
        <input type="hidden" value="<?php echo $row['job_id']?>" name="job_id" />
        <input type="submit" class="btn btn-xlarge btn-block btn-primary" value ="Start Escrow"></input></input><?php endif; ?></td>

    </tr>
<?php endwhile;?>
</table>

payment.php

<?php

require 'config.php';

$jobid    = $_POST['job_id'];

$query = "UPDATE job SET start_escrow = '1' WHERE  job_id = '$jobid''";
$success = $conn->query($query);
if (!$success) {
    die("Couldn't enter data: ".$conn->error);
}

echo "Thank You For Contacting Us <br>";

$conn->close();

?>
Virb
  • 1,639
  • 1
  • 16
  • 25
user9512753
  • 33
  • 5
  • 5
    Your `
    ` tag doesn't have a method defined, so it's defaulting to GET
     – iainn Apr 18 '18 at 12:52
  • 1
    Possible duplicate of [What is the default form HTTP method?](https://stackoverflow.com/questions/2314401/what-is-the-default-form-http-method) – iainn Apr 18 '18 at 12:53
  • 1
    Your script is at risk of [SQL Injection Attack](//stackoverflow.com/questions/60174) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](//stackoverflow.com/questions/5741187) Use [prepared parameterized statements](https://php.net/manual/en/mysqli.quickstart.prepared-statements.php). – John Conde Apr 18 '18 at 12:55
  • 1
    You've also got an extra single quote at the end of your SQL query. Using parameterised queries will help avoid this kind of issue, as well as preventing a massive security hole. – iainn Apr 18 '18 at 12:58
  • This is a double typo question. – Funk Forty Niner Apr 18 '18 at 13:00

1 Answers1

1

Set your method as POST in form.

<form action = "payment.php" method="POST">
<form action = "review.php" method="POST">
Virb
  • 1,639
  • 1
  • 16
  • 25
  • Thankyou silly mistake. but can you see why I am getting this error now? Couldn't enter data: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''7''' at line 1 – user9512753 Apr 18 '18 at 12:55
  • my sql statement seems fine I cant see the problem? – user9512753 Apr 18 '18 at 12:56
  • Glad to help. Please mark it as accepted and do upvote and I suggest you to ask another question for your error. – Virb Apr 18 '18 at 12:57
  • This is only a partial answer. – Funk Forty Niner Apr 18 '18 at 13:01