0

I am creating a database wherein users can select a title (search.php) and then the specific page for that title will be shown with its corresponding details (indiv.php).

They will be able to select a title from search.php and here is the code for the title link:

<a href="indiv.php?titleID=' . $row['titleID'] . '">

Then the indiv.php will be able to show the details for that title based on the titleID they have selected from search.php. Here is the code for indiv.php:

<?php
   include "databaseconnect.php";
        
   $titleID = $_GET["titleID"];

   $sql = ("SELECT titleID, authorsID, yearID,
            FROM table 
            WHERE titleID = '$titleID'");
   $result = $mysqli->query($sql);
        
   $row = mysqli_fetch_assoc($result);
            
   $mysqli->close();
 ?>

In this indiv.php, I also added a comment section form.

<form action="indiv.php" method="POST">
   <input type="text" name="nameID" placeholder="Enter your name" required>
   <textarea name="commentID" placeholder="Write your comment here" required></textarea>
   <input type="submit" name="submit" value="Post Comment">
</form>

The problem is, every time I try to submit a comment, the page refreshes and does not show its corresponding details (just shows an error - see below) because $titleID = $_GET["titleID"]; cannot fetch the titleID anymore from search.php but tries to find it in indiv.php because of my <form action="indiv.php" method="POST"> in the comment section. Is there a way to prevent this from happening? I want to still be able to show the details based on titleID even after posting a comment.

The error is: Notice: Trying to access array offset on value of type null in...

Thanks in advance! I am not familiar with PHP so I hope you can help me out.

louis
  • 11
  • 4
  • I don't know if I understood correctly, but maybe you need to set action = "indyw.php?titleID = '. $ Row [' titleID '].'" – ciastekkkk Dec 23 '20 at 16:03
  • 1
    **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Dec 23 '20 at 16:05
  • `action="indiv.php?titleID="` would set the `titleid` for `indiv.php` You are open to SQL injections with this code, parameterize your query. The `echo` might open you to XSS as well, use best practices there. You also could store the ID in a session variable or cookie... or output it to a hidden input but then it'd be a `POST`, not `GET` – user3783243 Dec 23 '20 at 16:05
  • 1
    Or, use a hidden field in your form ``. When you process the form, just redirect using the ID. `header('Location: indiv.php?titleID= . $_POST['titleId'] . ');` – waterloomatt Dec 23 '20 at 16:06
  • @user3783243 what should I put after echo in ``? – louis Dec 23 '20 at 16:09
  • @waterloomatt this actually worked. thanks a lot!!! – louis Dec 23 '20 at 16:12

0 Answers0