1

I have two php files , one where the user search for a product by typing the id

<form method="post">
<input type="text" name="search">
<input type="submit" name="submit" value="Search">
</form>

In the second file I would like to use the "id" from file1 to update the product , so I used session and put session_start(); at the begining of the file

<?php
session_start();
 /*
plugin name: Update quantity of product
description: update quantity of product by its id
*/

$path = preg_replace('/wp-content.*$/','',__DIR__);
require_once($path.'/wp-load.php');  

function update_product(){

?>
<form >
<p> Are you sure you want to add one product ?</p>
<input type="submit" name="update" class="update" value="Yes">
<a href="javascript:top.close();"><input type='button' value='Cancel' /></a>
</form>
<?php

$_SESSION["id"] = $_POST["search"]; 
$num=   $_SESSION["id"];

$connect = new PDO("mysql:host=localhost;dbname=dbs",'root','');

echo $num; // It works 
if (isset($_POST["update"])) { 

try  {
    $connect->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
    $statement=$connect->prepare("update `product` set qt = qt + 1 WHERE id_product= '$num'");
    // $num value is lost
    $statement -> execute();
     if($statement)
    {
            echo "Product updated";
            
    }
     }catch(PDOException $error){
    $error->getMessage();

    }
     }}
    add_shortcode('update_product','update_product');
    ?>

The problem is the value $num is lost after the condition if (isset($_POST["update"])), If If I replace $num with a number it works fine ,If I remove the condition also it works fine , I tried to store the value in a String $query before the condition like so:

$query ="update `product` set qt = qt + 1 WHERE id_product= '$num'";

and store $num in another variable then use it after the condition like this :

$v = $num; // then use $v instead of $num

None of them work

EDIT
I tried to pass the variable using hidden input but it didn't solve the problem

Al Ma
  • 71
  • 1
  • 10
  • `if (isset($_POST["update"])) {` will never trigger because your `
    ` is using `GET`
     – brombeer Jan 01 '22 at 11:50
  • But I've pecised
    – Al Ma Jan 01 '22 at 11:54
  • 1
    Not in your `update` form – brombeer Jan 01 '22 at 11:55
  • Yes , You're right ! I'll edit it – Al Ma Jan 01 '22 at 11:56
  • Actually, if I replace $num with a number , it update the value successfully – Al Ma Jan 01 '22 at 12:00
  • 3
    **Warning!** You're open to [SQL injection attacks](https://owasp.org/www-community/attacks/SQL_Injection)! Read [how to prevent SQL injection in PHP](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) by using prepared statements with bound parameters instead of injecting variables directly into your queries. It's not just about security. If your data contains, for example, a single quote `'`, your query will break. – M. Eriksson Jan 01 '22 at 12:17
  • Well I wasn't aware of this, thank you! – Al Ma Jan 01 '22 at 12:21

0 Answers0