-1

I'm working on like dislike rating system in PHP.

// if user clicks like or dislike button
if (isset($_POST['action'])) {
    if (isset($_SESSION['uid'])) {
        $action = $_POST['action'];
        switch ($action) {
            case 'like':
                $sql = "INSERT INTO rating (uid, pid, action) 
                VALUES ($uid, $pid, 'like') 
                ON DUPLICATE KEY UPDATE action='like'";
                break;
            case 'dislike':
                $sql = "INSERT INTO rating (uid, pid, action) 
               VALUES ($uid, $pid, 'dislike') 
                ON DUPLICATE KEY UPDATE action='dislike'";
                break;
            case 'unlike':
                $sql = "DELETE FROM rating WHERE uid=$uid AND pid=$pid";
                break;
            case 'undislike':
                $sql = "DELETE FROM rating WHERE uid=$uid AND pid=$pid";
                break;
            default:
                break;
        }
        // execute query to effect changes in the database ...
        mysqli_query($con, $sql);
        echo getRating($pid);
        exit(0);
    } else {
        header("location:login.php");
    }
}

If a user is logged in then it's working fine but when user is not logged in then the else part which is including PHP header function is not working and not showing any error and not even inserting data into the database.

If there is another alternative then please do tell

Devil
  • 25
  • 5
  • 4
    **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Aug 30 '21 at 11:10
  • Any other HTML/PHP content before the `header()` call? – brombeer Aug 30 '21 at 11:23
  • no nothing before this script. – Devil Aug 30 '21 at 11:26

1 Answers1

0

Cannot guarantee this is the answer exactly --- will remove if not useful

I think it could be malformed header. Capitalization and space. header("location:login.php") should be

header("Location: login.php");

check the manual here for header Location examples

see MDN for a clear example of header syntax

EDIT: Since you said it still didn't work then it is likely that your SESSION is always set. You should debug your SESSION handling code.

GUEST
  • 26
  • 2