Leaving a review on product with ID

Question

Okay so I'm trying to create a Leave a Review system on my products. Right now I have a table with products and reviews.

Product table:

Review table;

So I created a page called product.php so when people click on View Product, for example, it goes to localhost/shop/product.php?id=6

And now when im there, I created a "Leave a Review" form, where people can post a review just for the product with ID 6.

So this is what I tried so far...

On top of my product.php i have the following code, that shows the product things.

$id = $_GET['id'];
$query = mysqli_query($conn, "SELECT * FROM products WHERE productId='$id'");
while ($row = mysqli_fetch_array($query)) {
?>

at the end of my page i have the review code: [I have value=$id that is not working, dont know why

<?php
    $id = $_GET['id'];
    $query = mysqli_query($conn, "SELECT * FROM reviews WHERE productId='$id' LIMIT 2");
    while ($row = mysqli_fetch_array($query)) {
?>

this is my form for leave a review

<form action="addReview.php" method="POST">
    <div class="form-group">
            <input type="hidden" name="productId" value="$id">
        </div>
        <div class="form-group">
            <label for="nameInput">Your Name</label>
            <input type="text" class="form-control" id="nameInput" name="fullname" placeholder="Your Name">
        </div>
        <div class="form-group">
            <label for="emailInput">Your Email</label>
            <input type="email" class="form-control" name="email" id="emailInput" placeholder="Your E-mail">
        </div>
        <div class="form-group">
            <label for="message">Product Review</label>
            <textarea class="form-control" id="message" name="message" placeholder="Leave a product review"></textarea>
        </div>
        <button type="submit" class="btn btn-primary">Submit</button>
</div>
</form>

this is the addReview.php file

<?php

$dbc = mysqli_connect("localhost", "root", "", "shop");

$reviewId = $_POST['reviewId'];
$productId = $_POST['productId'];
$name = $_POST['name'];
$email = $_POST['email'];
$content = $_POST['content'];
$created_at = $_POST['created_at'];

$sql = "INSERT INTO reviews (reviewId,productId,name,email,content,created_at) VALUES                 
('$reviewId','$productId','$name','$email','$content','$created_at')";

if(!mysqli_query($dbc,$sql)){
    echo 'Review not added!';
} else {
    echo 'Review added!';
}

header("refresh:1; url=product.php?id=$id");    
?>

So here is the problem.

When i submit the form, it goes to the DB, but under productId its 0, and the review is not displaying? Any clues on how i can solve this? thanks in advance

Your script is open to [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) You should consider using [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either the `MYSQLI_` or `PDO` API's instead of concatenated values — RiggsFolly, Mar 24 '20 at 17:59

Leaving a review on product with ID

0 Answers0