0

I have a URL : http://webaddress.php?id=100

I am trying to insert the 'id' value of 100 into a column in my SQL table.

I have tried the following:

$productid = $conn->real_escape_string($_POST['id']); 

$insertsql = "INSERT INTO TableName(table column)
        VALUES('$productid')";

can anyone advise on the correct approach? thanks

culldog88
  • 83
  • 7
  • 1
    Its not a POST, its a GET – Grumpy Apr 02 '21 at 15:55
  • 1
    This is `$_GET` argument so read is as `$_GET['id']` or change your form to send `$_POST` data – biesior Apr 02 '21 at 15:56
  • 1
    Use PDO or prepared statements to [prevent sql injections](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). I think you need to show us more code where do you declare your varible `$rating`? – Baracuda078 Apr 02 '21 at 15:57
  • 1
    **Warning!!!** Your code is open for [SQL injection](https://en.wikipedia.org/wiki/SQL_injection), please use [prepared statements](https://www.php.net/manual/en/pdo.prepared-statements.php) preferably with [PDO](https://www.php.net/manual/en/book.pdo.php) or [mysqli](https://www.php.net/manual/en/mysqli.prepare.php). – biesior Apr 02 '21 at 15:57

1 Answers1

2

My comment was getting a bit long so I post it as an answer.

Like others said. If you send a value with the url to your script so you need to get it with $_GET instead of $_POST To make sure the id is really a number you could use (int) like $productid = (int)$_GET['id']; . The (int) will turn your variable into a number, if its not a number it will return 0 So you could also make a checj before your query if the $productID is larger then 0 to prevent allot og zero's in your database

Also use the isset function like $productID = isset($_GET['id']) ? (int)$_GET['id'] : 0 so if some one visit your url without the parameter id he wont get an undefined error.

For your queries please use prepared statements or PDO to prevent sql injection

EDIT: On w3schools I found some nice explaination and examples about prepared statements and PDO try to implement those examples into your own project

Second EDIT: I was reading the example of prepared statements of the link I posted, and they make 1 small mistake in my opinion. After the $stmt->execute() they asume the data is inserted correcly. But to make sure the data is really inserted you schould change that part into:

// Check if there is really inserted some rows into the database or not
if ($stmt->affected_rows > 0) {
  echo "New records created successfully";
}
Baracuda078
  • 677
  • 1
  • 5
  • 10
  • I would say *need to get it with $_GET OR $_POST*. In general acording to many CRUD rules sending forms should be used with `method="post"` for security reasons (especially when working with sensitive data and/or want to *minimalize* risk of data manipulation by curious users. Let's say that's rating system it's easy to run a call i.e. `domain.tld/rate.php?points=10000000` insted of just `100`. – biesior Apr 02 '21 at 16:13
  • 1
    @biesior I agree with you. Form data almost always needs to be posted also te prevent the data to get logged into server log files – Baracuda078 Apr 02 '21 at 16:14
  • "*prevent the data to get logged into server log files*" that what I meant writing about sensitive data. – biesior Apr 02 '21 at 16:16