1

I'm trying to make a "reject" button, I can reject users' cards with and also store a message to my database that I'll show him on other page. My problem is, if I add the input value to my 'update' command, it stops working.

if(isset($_POST['reject'])){
    $id = $_POST['rejecttext'];
    $allowed = mysqli_query($conn," UPDATE cards SET visibility = '1', confirmed = '2', rejecttext = {$_POST['rejecttext']} WHERE id = '$id' ");
}

<form action="" method="POST">
    <input value="<?php echo $record['id']; ?>" name="id" style="display: none;">
    <input type="submit" class="btn btn-success" name="accept"/>
    <input type="submit" class="btn btn-danger" name="reject"/>
    <input type="text" id="rejecttext" name="rejecttext">
</form>

without this part rejecttext = {$_POST['rejecttext']} everything works fine.

Shaharia Azam
  • 1,948
  • 19
  • 25
MowerQQ
  • 35
  • 6
  • What do you mean by it stops working? Is there any error message? Also, this might help answer your question: https://stackoverflow.com/questions/8893551/update-query-php-mysql. EDIT: you might be missing quotes? ``` rejecttext = "{$_POST['rejecttext']}" ``` – porsekin Feb 26 '20 at 21:27
  • Yes, I missed quotes and also missed this part ```$rejecttext = $_POST['rejecttext'];``` Thanks for your fast help. – MowerQQ Feb 26 '20 at 21:31
  • This is open to an serious SQL injection; use a prepared statement. – Funk Forty Niner Feb 26 '20 at 21:38
  • Is it open even if noone can reach this site, but admins? – MowerQQ Feb 26 '20 at 21:43

1 Answers1

2

You are missing quotes. Your query should look like this:

$allowed = mysqli_query($conn," UPDATE cards SET visibility = '1', confirmed = '2', rejecttext = '{$_POST['rejecttext']}' WHERE id = '$id' ");

As others have already mentioned, it is not really safe. You should consider using prepared statements:https://www.w3schools.com/php/php_mysql_prepared_statements.asp

porsekin
  • 115
  • 1
  • 9