0

I created an HTML form to update my posts. So I used header() function to redirect the page to Updated page so I can see the changes. But I wanna echo a message on the redirected page. I have tried this code but this works only on same page, not redirected page. 

<?php
$query_2 = "UPDATE posts SET post_image = '$post_image' WHERE post_id = $post_id ";
    $query_2 .= "AND LENGTH('$post_image') > 0 AND post_image <> '$post_image' ";

    $editPostImg = mysqli_query($connection, $query_2); 

    if (!$editPostImg) {
        die("Something went wrong.<br>" . mysqli_error($connection));  
    }        

    header("Location: posts.php?source=edit_posts&p_id=$post_id");

    echo "<p class='alert alert-success'><strong>Post Updated!</strong> <a href='../post.php?p_id=$post_id' class='alert-link' target='blank'>View Post</a><a href='' class='close' data-dismiss='alert'>x</a></p>";
}    
?>
Dharman
  • 30,962
  • 25
  • 85
  • 135
Praveen Kumar
  • 49
  • 1
  • 6
  • add this: `echo "

    Post Updated! View Postx

    ";` on the `posts.php` page, where you are trying to redirect at the beginning.     – Serghei Leonenco May 28 '20 at 06:14
  • It is a very bad idea to use `die(mysqli_error($conn));` in your code, because it could potentially leak sensitive information. See this post for more explanation: [mysqli or die, does it have to die?](https://stackoverflow.com/a/15320411/1839439) – Dharman May 28 '20 at 10:03

1 Answers1

1

After the following line of code: 

header("Location: posts.php?source=edit_posts&p_id=$post_id");

the user will be redirected to the new page and won't see the code that is executed after the header directive. To display the message you have to submit the message as GET or POST parameter. Whereas the first option will be the easier one.

As @Dharman mentioned your code is wide open to SQL Injections and should use parameterized prepared statements. You could use PDO or MySQLi. I build a solution with PDO but up to you.

Thus, you could adjust your script as follows: 

<?php

try{

    //Create new PDO Object
    $conn = new PDO("mysql:host=HOST;port=PORT;dbname=DBNAME", USERNAME, PASSWORD);

    //Define query
    $query = $this->conn->prepare("UPDATE posts SET post_image = :postimage WHERE 
    post_id = :postid AND LENGTH(post_image) > 0 AND post_image <> :postimage");
    $query->bindValue("postimage", $post_image);
    $query->bindValue("postid", $post_id);
    $query->execute();

    //Redirect user and add success message as GET parameter
    header("Location: posts.php?source=edit_posts&p_id=$post_id&update=success");

    //Make sure script is terminated
    exit();

}  catch(Exception $ex){

   //Log error
   error_log($ex->getMessage());

   //Show user custom error message
   echo "Something went wrong";

   //Make sure script is terminated
   exit();
}
?>

On the target page (posts.php) you could then insert a code snippet as follows:

<?php 

if(isset($_GET['update']) && $_GET['update'] == "success"){
    echo "<p class='alert alert-success'><strong>Post Updated!</strong> <a href='../post.php?p_id=$post_id' class='alert-link' target='blank'>View Post</a><a href='' class='close' data-dismiss='alert'>x</a></p>";
}

?>
Praveen Kumar
  • 49
  • 1
  • 6
M4SX5
  • 155
  • 1
  • 10
  • I just focused on displaying the message and therefore didn't look at the SQL code. That was bad advice from me. Thanks for pointing this out @Dharman. I corrected the code. – M4SX5 May 28 '20 at 12:04