0

I've been building this and everything is working fine - however, the database that I'm connected to does not update - upon updating the text area, my code even tells me it is successful so I genuinely do not know what is wrong... Code below!

I've checked all the syn taxes, names in the database and letters in my code - nothing seems to be the issue.

Inspecting the page comes up with no errors.

loggedinpage.php

<div class="container-fluid"> 

    <textarea name="diary" id="diary" class="form-control"></textarea>

</div>

<?php   include("footer.php");?>

updatedatabase.php

<?php

    session_start();

    if(array_key_exists("content", $_POST)){ 

        include ("connection.php");

        $query = "UPDATE `users` SET `diary` = '".mysqli_real_escape_string($link, $_POST['content'])."' WHERE id = ".mysqli_real_escape_string($link,$_SESSION['id'])." LIMIT 1";

            if(mysqli_query($link, $query)){

                echo "success";

            } else {

                echo "failed";

            }

    }


?>

connection.php

<?php 

    $link = mysqli_connect("*******", "********", "xxxxxxx", "*******");

        if (mysqli_connect_error()){

            die("Database connection error");

        }

?>

footer.php


   <!-- Optional JavaScript -->
    <!-- jQuery first, then Popper.js, then Bootstrap JS -->
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js" integrity="sha384-UO2eT0CpHqdSJQ6hJty5KVphtPhzWj9WO1clHTMGa3JDZwrnQq4sF86dIHNDz0W1" crossorigin="anonymous"></script>
    <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js" integrity="sha384-JjSmVgyd0p3pXB1rRibZUAYoIIy6OrQ6VrjIEaFf/nJGzIxFDsf4x0xIM+B07jRM" crossorigin="anonymous"></script>

    <script type="text/javascript"> 

        $(".toggleForms").click(function(){ 

            $("#signUpForm").toggle();
            $("#loginForm").toggle();

        });

        $("#diary").on('input propertychange', function(){ 

            $.ajax({
              method: "POST",
              url: "updatedatabase.php",
              data: { content: $("#diary").val() }
            })
              .done(function( msg ) {
                alert( "Data Saved: " + msg);
              });


        });

    </script>
SaschaM78
  • 4,376
  • 4
  • 33
  • 42
bingandbong
  • 9
  • 1
  • 1
    Never do that. Anyone with basic knowledge of HTML request can abuse your AJAX call by replaying it & manipulating the data. – Raptor Jun 19 '19 at 04:37
  • 2
    So are you saying you get an alert with _"Data Saved: success"_? All I can think of is that your `$_SESSION['id']` is not actually set. You should [enable proper error reporting](https://stackoverflow.com/questions/845021/how-can-i-get-useful-error-messages-in-php). – Phil Jun 19 '19 at 04:41
  • @Raptor I'm not entirely sure what you mean. How would you recommend it be done? As an example, this comment form I'm typing into right now does practically the same thing – Phil Jun 19 '19 at 04:50
  • Hi @Phil, what I mean is that the server side script does not prevent re-submission of the HTML request. If a guy who intends to abuse the form, he can just make the same requests again and again. – Raptor Jun 19 '19 at 07:39
  • 1
    @Raptor I also don't see a problem here as it seems the user is allowed to save a text via AJAX and the escaping of variables should suffice (even if there are some rare cases where even mysqli_real_escape_string() might be fooled). Regarding the author's problem: you will also receive a `true` even if no records where updated, `false` will only be returned in case of an error. Use `mysqli_affected_rows ($link);` to find out if any records were updated. – SaschaM78 Jun 19 '19 at 09:35
  • Hey guys, thanks for the replies. @Raptor, i'm confused by what you're saying - just slightly new here so any help is appreciated! Phil, I think you may be right - I echoed $query and it doesn't seem to be updating the ID field - any ideas why guys? – bingandbong Jun 20 '19 at 06:39
  • @SaschaM78 what if a user sends POST request to `updatedatabase.php` a thousand time with a HTTP Request tool? The MySQL server will be very busy. – Raptor Jun 20 '19 at 09:18
  • @Raptor that would be a DDoS attack and would either block the database or HTTP server and that's nothing you can easily block. But I see your point, still I wouldn't say that the author of the question made general errors when it comes to escaping of variables. – SaschaM78 Jun 20 '19 at 09:21
  • I didn't say the escaping of variables has problems. – Raptor Jun 20 '19 at 09:25

0 Answers0