4

I want to add a simple rating system to my random video site (id = youtube id)
I don't have much experience with php and MySQL and I'm not sure how to update a field using submit buttons in this way:

<form action="<?php echo $_SERVER['PHP_SELF'] ?>" method="post" name"rateform">
  <input name="rateup" type="image" src="up.png" id="rateup" value="rateup" />
  <input name="ratedown" type="image" src="down.png" id="ratedown" 
   value="ratedown" />
</form>
<?PHP
mysql_connect(",",",",",")or die(mysql_error());
mysql_select_db(",")or die(mysql_error());
if ($_POST['rateup'])
{
    mysql_query("UPDATE utube SET rating = rating + 1 
                WHERE (id = $pageid)");} else if ($_POST['ratedown']) {
    mysql_query("UPDATE utube SET rating = rating - 1 
                WHERE (id = $pageid)");}

?>

Is there something I have to do to link the html and php together?
All of the statements return the correct values by themselves (i.e $pageid)
but when I press the buttons there is nothing happening to any fields.

When I put the mysql query directly into phpmyadmin it also works,
I'm just not sure about how the html communicates with the php?
I'd appreciate if someone were to inform me of how this works so I can get my script to work.

Johan
  • 74,508
  • 24
  • 191
  • 319
blodey
  • 75
  • 1
  • 6
  • Where does `$pageid` come from? – mario Apr 28 '11 at 14:33
  • there's a possible SQL-injection in your code, replace `WHERE (id = $pageid)"` with `WHERE (id = '$pageid')"` _(note the quotes)_ and make sure $pageid is escaped with mysql_real_escape_string(), see: http://stackoverflow.com/questions/332365/xkcd-sql-injection-please-explain – Johan Apr 28 '11 at 14:49
  • @mario @Johan Oh wow, I feel stupid for this. $pageid needed to be in quotes as it was a varchar string. Adding quotes fixed everything and now rating works. $pageid just returns a random value from my id table (so that every refresh gives a random video to watch.) I'll take a look into fixing the sql injections, thanks again! – blodey Apr 28 '11 at 15:03

3 Answers3

2

Let's start finding the problem: I can only imagine two reasons for this:

  • PHP is not connecting to the DB. Try executing the query directly from your script (taking it out of the if statement.
  • The if statement is wrong for some reason: Try replacing the mysql_query with print('up'); and print('down');

By the way, else if is a one-word-statement. You can replace it with elseif.

joostdevries
  • 930
  • 1
  • 6
  • 13
  • Thanks a lot for that, it helped me to identify the problem. There is definitely something wrong with the mysql_query I made. – blodey Apr 28 '11 at 14:57
0
<?PHP
mysql_connect("hostname","username","password")or die(mysql_error());
mysql_select_db("dbname")or die(mysql_error());
if ($_POST['rateup'])
{
    mysql_query("UPDATE utube SET rating = rating + 1 
                WHERE (id = $pageid)");} else if ($_POST['ratedown']) {
    mysql_query("UPDATE utube SET rating = rating - 1 
                WHERE (id = $pageid)");}

?>
0

Image buttons post clicked coordinate value except form name. inputname_x & inputname_y

if ($_POST['rateup_x'])
{
    mysql_query("UPDATE utube SET rating = rating + 1 
      WHERE (id = $pageid)");} else if ($_POST['ratedown_x']) {
    mysql_query("UPDATE utube SET rating = rating - 1 
      WHERE (id = $pageid)");}
Johan
  • 74,508
  • 24
  • 191
  • 319
arch
  • 1
  • 2