1
session_start();

require 'db-conn.php';



$u1 = $_POST['ricevente'];

$u2 = $_POST['richiedente'];



if(isset($_POST['accetta'])){

    $sql = "UPDATE amici SET amicizia=1 WHERE utenteDue='$u2' AND utenteUno = '$u1';";
    $sql55 = "INSERT INTO notifiche (idRichiedente, idRicevente, tipoNotifica) VALUES ('$u2', '$u1', '2');";

    $result55 = $conn->query($sql55);
    $result = $conn->query($sql);


}elseif(isset($_POST['rifiuta'])){

    $sql = "DELETE FROM amici WHERE utenteDue='$u2' AND utenteUno = '$u1'";

    $result = $conn->query($sql);

}else echo "Si รจ verificato un errore";

This is my code, it only computes the $sql variable while not the $sql55. Can you please tell me why? The variables are fine and just okay (the first query goes well).

Gabriele Trainiti
  • 59
  • 1
  • 1
  • 4
  • What if the $sql55 variable contains an invalid query? Add mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT); in top of your code or even better use PDO with prepared statements โ€“ Frank B May 08 '20 at 21:17
  • 3
    You code is vulnerable to SQL Injection. See https://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work โ€“ Elias Soares May 08 '20 at 21:17
  • Also your second query is probably invalid, so an error occurs and you are not checking if it worked or not. โ€“ Elias Soares May 08 '20 at 21:19

1 Answers1

-1

You are inserting post data directly into your query instead of using prepared statements, this is highly undesirable.

When should I use prepared statements?

https://www.php.net/manual/en/pdo.prepared-statements.php

But if you must do it this way, you need to concat the values into your query string as such ... 

$sql55 = "INSERT INTO notifiche (idRichiedente, idRicevente, tipoNotifica) VALUES ('".$u2."', '".$u1."', '2');";
Brian Patterson
  • 1,615
  • 2
  • 15
  • 31