-2

So in the start of my file i am get the Id of my product, so i can differ between products and store data correctly. Thats my php:

<?php 
if(isset($_GET['dish_did']))
{
    //get food id
    $dish_did = $_GET['dish_did'];

    //get data
    $sql = "SELECT * FROM dish WHERE did=$dish_did";

    //execute
    $res = mysqli_query($link, $sql);

    //count rows
    $count = mysqli_num_rows($res);

    //check whether the data is available or not
    if($count==1)
    {
        //we have data 
        //get from database
        $row = mysqli_fetch_assoc($res);
        $nom = $row['nom'];
        $description = $row['description'];
        $last_rating = $row['last_rating'];
        }
    else{
        //not availible
        header("location: error.php");
    }
}
else{
    header("location: rate.php");
}    
?>

After some HTML i have the following POST. I use this to save the data entered by the user in an other table (different table than dish).

<?php

//check whether submit clicked
if(isset($_POST['submit']))
{
    //get all details

    $dish_id = $_POST['dish.did'];

    $review_date = date("Y-m-d h:i:sa"); //Rating Date

    $user_review = $_POST['RatingLong'];

    //save in database
    //Create SQL to save data

    $sql2 = "INSERT INTO review SET
    user_review = '$user_review',
    review_date = '$review_date',
    dish_id = '$dish_id'
    ";


    //Execute the Query
    $res2 = mysqli_query($link, $sql2);

    //check wether query executed successfully or not

    if($res2==true)
    {

        //Query Executed and Review Saved
        $_SESSION['review'] = "<div class='success'>Review Successfull.</div>";
        // header('location:'.SITEURL);
    }
    else{
        //Failed to save review
        $_SESSION['review'] = "<div class='success'>Error.</div>";
        // header('location:'.SITEURL.'about.php');
    }

}


?>

Without the dish_id i am able to store data, but they aren´t assigned (so useless). I am not sure how i can link the id correct, to be saved. I have seperate links for every product by id: http://localhost/Project/index.php?dish_did=2 for example.

What i have to change, that user_review and review_date is stored correctly with the same dish_id (table review) as dish_did (table dish).

ADDITIONAL QUESTION:

how can i comment ?

edit:

added rate.php code and database

<?php

                $sql = "SELECT * FROM dish WHERE hide ='1'";

                $res = mysqli_query($link, $sql);

                $count = mysqli_num_rows($res);

                if($count>0)
                {
                    echo'<div class="row">';

                    while($row=mysqli_fetch_assoc($res))
                    {
                        $did = $row['did'];
                        $nom = $row['nom'];
                        $description = $row['description'];
                        $last_rating = $row['last_rating'];
                        
                    ?>
                    <div class="mb-4"></div>
                            <!-- <div class="row"> -->
                            <div class="col-md-3">
                                <div class="thumbnail">
                                    <a href="index.php">
                                        <img src="img/gallery/01.jpg" class="rounded-top">
                                    </a>
                                    <h4 class="text-center my-3"><?php echo $nom; ?></h4>
                                    <p class="text-center"><?php echo $description; ?></p>
                                    <a href="<?php echo SITEURL; ?>index.php?dish_did=<?php echo $did; ?>" class="btn btn-success" role="button">Jetzt Bewerten!</a>
                                <!-- </div> -->
                            </div>
                            </div>

                            <?php
                    }
                

                }
                else{

                    echo "<div class='error'>Food not available.</div>";
                }
                ?>

Here my database:

create table users
(
uid int primary key AUTO_INCREMENT,
username varchar(25),
password varchar(25),
created_at date,
score int
);
create table dish
(
did int primary key AUTO_INCREMENT,
nom varchar(25),
description varchar(250),
last_rating int,
hide int DEFAULT 0 NOT NULL
);
create table review
(
review_id int primary key AUTO_INCREMENT,
user_id int ,
dish_id int ,
user_rating int ,
user_reveiw varchar(100),
review_date datetime,
foreign key (user_id) references users(uid),
foreign key (dish_id) references dish(did)
);
michi
  • 284
  • 1
  • 4
  • 21
  • If you send POST body, you can use `var_dump($_POST)` to see data format. (your `dish.did` need has POST key name is that) – UioSun Mar 05 '22 at 00:35
  • 1
    **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/32391315) – Dharman Mar 05 '22 at 11:31

1 Answers1

0

I found the issue. It has to be this GET:

$dish_did = $_GET['dish_did'];

And this is the correct sql Statement:

$sql2 = "INSERT INTO review SET
    dish_id = '$dish_did',
    user_review = '$user_review',
    review_date = '$review_date'
    ";

In summary, I was in trouble because of my designations. I took the wrong ID, it must be $dish_did

michi
  • 284
  • 1
  • 4
  • 21