0

My alerted values from SUCCESS function are correct. They are:

serviceID=123&acceptAgreement=on

acceptAgreement is a input checkbox.

DB file is not being updated. I tried var_dump($_POST) from ajax URL file and nothing happens. I think it's not 'finding' the URL which resides in a subdirectory of main directory. My js file:

$("#frmServiceAgreement").submit(function(event){
        var values = $(this).serialize();
        if($("input[name^='acceptAgreement']").is(":checked")) {
            $.ajax({
                url: "/admin/service.php",
                type: "post",
                data: values,
                success: function(result){
                    window.alert(values);
                },
                error:function(){
                    alert("failed");
                    console.log("ooops!");
                }
            });//end ajax
        } else {
            $(".popup").fadeIn('slow');
        }
        event.preventDefault();
    });

My URL file is service.php in a subdirectory admin/service.php (NOTE:maybe my if statement needs to be changed as my alerted value of acceptAgreement is ON not 1 which is the value that I want to store in my tinyint column in db.

<?php
include('../xxx/functions.php');
$serviceID = protect($db,$_POST['serviceID']);
$acceptAgreement = protect($db,$_POST['acceptAgreement']);
if($acceptAgreement==1){
    $sql = $db->query("UPDATE services SET serviceAgreement=1 WHERE id=$serviceID");
} else {
    $sql = $db->query("UPDATE services SET serviceAgreement=0 WHERE id=$serviceID");
}
?>
Leslie
  • 107
  • 1
  • 10
  • 1
    Your script is wide open to [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) even when you hide stuff in a `protect()` function. Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either the `MYSQLI_` or `PDO` API's – RiggsFolly Jul 10 '18 at 19:30
  • Well, since your `window.alert(values);` is actually firing off (as you claim), then ajax is hitting a valid url (otherwise it would do error callback). But you say the db is not being updated? Yet you have an if/else where both actions are `UPDATE`... so I'm confused on your issue. – IncredibleHat Jul 10 '18 at 19:31
  • Would it be a good idea to test the result of the `->query()` ?? – RiggsFolly Jul 10 '18 at 19:36
  • @RiggsFolly my protect function uses strip_tags and mysqli_real_escape_string...is this not sufficient? – Leslie Jul 10 '18 at 19:38
  • You dont need to bother. If you are passing the connection to it, I can guess – RiggsFolly Jul 10 '18 at 19:39
  • 1
    When you say "*I tried var_dump($_POST) from ajax URL file and nothing happens.*" ... what steps did you check to confirm 'nothing happens'? Did you check the raw response from the ajax call in the network tab of your browser devtools? Was it a `NULL` value, or `array(0) {}` ? – IncredibleHat Jul 10 '18 at 19:40
  • When I checked network headers for the ajax URL file it shows serviceID: 123 acceptAgreement: on – Leslie Jul 10 '18 at 20:00
  • I have even changed the value of my checkbox input statement and it is posting the new value. It seems that although my values are posting via ajax, the ajax URL is NOT executing at all. I have been unsuccessful at var_dumping the $_POST values via the ajax URL file. – Leslie Jul 11 '18 at 15:35

1 Answers1

0

When my input box was checked (and is:checked was true), ajax posted "on" as the value of my variable...not 1 which is the value that I ultimately want to store in my tinyINT column... 1 being true or 0 being false. Once I added an if statement into my ajax URL checking if the posted value was "on", I then performed the following UPDATE statement 

$sql = $db->query("UPDATE services SET serviceAgreement='1' WHERE id=$serviceID");
Leslie
  • 107
  • 1
  • 10