I am trying to insert a php variable to mysql but, it automatically inserts 0 instead of the value of the variable

Question

I am trying to insert a php variable to mysql but, it automatically inserts 0 instead of the value of the variable.

    <?php 
    $username_view = $_GET['user'];
    $current_user = getUserIdFromUsername($username_view);
    $current_user_chat = (int)$current_user;

    // echo gettype($current_user_chat);

    echo var_dump($current_user_chat); //echos original value

    if (isset($_POST['send_message_button_btn'])) {
        $message_text_txt=sanitizeString($_POST['send_message_text_txt']);
        $user_logged_in= $_SESSION['user_id'];
        queryMysql("INSERT INTO messages (message_sender_id, message_receiver_id, message_text, messege_date, message_time) VALUES ('$user_logged_in', $current_user_chat, '$message_text_txt', CURDATE(), CURTIME())");
        echo "<script type= 'text/javascript'> alert('sent');</script>";
        header("Location: user_home.php");
    }

?>

The value of the variable $current_user_chat is stored as '0'. When I echo the value of var_dump($current_user) is printed as expected.

The function getUserIdFromUsername($username_view) is:

<?php
function getUserIdFromUsername($username){
    $result = queryMysql("SELECT user_id FROM users WHERE username ='$username' ");
    $row = getRows($result);
    if($row){
        return $row['user_id'];
    }
    else{
        echo "<script type= text/javascript> alert('No such Users') </script>";
    }
?>

Here is the form:

<form method="post" action="messages.php?user=$username_view" class="chat-form">
   <textarea name="send_message_text_txt"></textarea>
   <button name="send_message_button_btn" type="submit"><i class="fa fa-paper-plane"></i></button>
</form>

When the SQL query is echoed it is as:

INSERT INTO messages (message_sender_id, message_receiver_id, message_text, messege_date, message_time) VALUES ('1', 5, '', CURDATE(), CURTIME())

What data type is that column in your database? Your column names indicate they are expecting to hold integers and not strings. You also specifically cast that value to an int on line 3, so... — John Conde, Jan 17 '19 at 13:30
No - don't do this. Please read - https://stackoverflow.com/q/60174/296555 — waterloomatt, Jan 17 '19 at 13:31
Since you're not using prepared statements, echo out that query and verify the data that you're pushing. Then double-check the data type of the column. You really ought to use prepared statements and parameter binding to prevent quoting issues and sql injection. — aynber, Jan 17 '19 at 13:32
Here is the Table Structure: CREATE TABLE messages( message_id SERIAL PRIMARY KEY, message_sender_id BIGINT(11) NOT NULL, message_receiver_id BIGINT(11) NOT NULL, message_text TEXT NOT NULL, messege_date DATE NOT NULL, message_time TIME NOT NULL ); — Pratik K. Tiwari, Jan 17 '19 at 13:33
The data type of message_receiver_id is BIGINT(11). When echoed using: gettype($current_user_chat); echo var_dump($current_user_chat); type is printed as integer along with the actual expected value. — Pratik K. Tiwari, Jan 17 '19 at 13:36
The value of $current_user_chat is obtained as: http://localhost/social/messages.php?user=akash $username_view = $_GET['user']; $current_user = getUserIdFromUsername($username_view); $current_user_chat = (int)$current_user; — Pratik K. Tiwari, Jan 17 '19 at 13:39
Can you show the form i have a feeling you don't send the user param in the url when saving. You are using $_GET and $_POST there. — Raymond Nijland, Jan 17 '19 at 13:47
INSERT INTO messages (message_sender_id, message_receiver_id, message_text, messege_date, message_time) VALUES ('1', 5, '', CURDATE(), CURTIME()) The message_receiver_id is 5 which is as according to the username. — Pratik K. Tiwari, Jan 17 '19 at 13:48
Yep, that's a head scratcher, then. Try using that string to insert directly into the database, and see if it throws any warnings. — aynber, Jan 17 '19 at 13:51
@RaymondNijland I have added the form code in the post. Do have a look at it. — Pratik K. Tiwari, Jan 17 '19 at 13:55
@aynber Passing the string directly doesn't throw any error. Still 0 is inserted. — Pratik K. Tiwari, Jan 17 '19 at 14:00
To add to @anyber comment manually select the warnings if anny with SHOW WARNINGS; after running the insert.. no error does not always mean there are no warnings — Raymond Nijland, Jan 17 '19 at 14:03
Can you pls show us the source of `queryMysql` and also `sanitizeString`? In addition, please show the output of `var_dump($current_user_chat);` when used **directly inside** `if (isset($_POST...`. I am trying to rule out `$_GET`/`$_POST` issues. Update your question with these; don't post them in the comments. And again, I can't stress enough, don't use variables inside your query - use parameterized queries (see https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). It will solve a lot of your problems. — waterloomatt, Jan 17 '19 at 14:17
@RaymondNijland Thanks for the suggestion about form.I made a change in the action and now it is working fine. — Pratik K. Tiwari, Jan 17 '19 at 14:21
@waterloomatt Thank you for the response. There was a problem with the form action. It's fine now. — Pratik K. Tiwari, Jan 17 '19 at 14:22
Well i geuss i need some caffaine badly i totally overlooked the `action="messages.php?user=$username_view"` didn't use `` — Raymond Nijland, Jan 17 '19 at 14:24

score 0 · Accepted Answer · answered Jan 17 '19 at 14:21

0

There was a problem in the form action.

<form method="post" action="messages.php?user=$username_view" class="chat-form">
   <textarea name="send_message_text_txt"></textarea>
   <button name="send_message_button_btn" type="submit"><i class="fa fa-paper-plane"></i></button>
</form>

The variables were actually not being passed. I echoed the parameter instead of writing it directly in the form action.

The new form code is:

<form method="post" action="messages.php?user=<?php echo $username_view ?>" class="chat-form">
    <textarea name="send_message_text_txt"></textarea>
    <button name="send_message_button_btn" type="submit"><i class="fa fa-paper-plane"></i></button>
</form>

answered Jan 17 '19 at 14:21

Pratik K. Tiwari

161
10

Doh! We should have caught that. – waterloomatt Jan 17 '19 at 14:22
Wait - you showed us your `INSERT` statement where `5` was being passed. How is that possible? – waterloomatt Jan 17 '19 at 14:23
Well i geuss i need some caffaine badly i totally overlooked the `action="messages.php?user=$username_view"` didn't use ``.. lucky iam not the only one. – Raymond Nijland Jan 17 '19 at 14:25
@waterloomatt I really don't know about that. I'm also surprised. – Pratik K. Tiwari Jan 17 '19 at 14:29
@RaymondNijland HaHa! No problem. – Pratik K. Tiwari Jan 17 '19 at 14:30

score -1 · Answer 2 · answered Jan 17 '19 at 13:48

-1

Probably the column message_sender_id is an int, and in the query you try to input the value with quotation marks

answered Jan 17 '19 at 13:48

Hadagalberto Junior

119
2
11

I tried to do it with and without quotes. It didn't worked. – Pratik K. Tiwari Jan 17 '19 at 13:53
Can you post what that sql echoes? – Hadagalberto Junior Jan 17 '19 at 14:03
What's the data type of the `message_receiver_id` on the table? – Hadagalberto Junior Jan 17 '19 at 14:14
It is BIGINT. I found the errors. Thank you for the response. – Pratik K. Tiwari Jan 17 '19 at 14:24

I am trying to insert a php variable to mysql but, it automatically inserts 0 instead of the value of the variable

2 Answers2