-1

The scenario is here I accept all button click that has ID starts with 'editbtn' like editbtn1/editbtn2 etc ; and get only the number to send via ajax to find data id based on the button id (number)

    $(document).ready(function(){
        $('[id^=editbtn]').click( function () {
            noform=this.id.match(/\d+/);
            event.preventDefault();
        
            $.ajax({
                'url': 'visitor_book_crud.php',
                'data': {
                    'request': 'find_data',
                    'data_id': noform
                },
                'type': 'post',
                'dataType': 'html',
                'beforeSend': function () { }
            })
            .done( function (response) {
                console.log(response);
            })
            .fail( function (code, status) {    alert(code+' - '+status);
            })
            .always( function (xhr, status) {   })
        });
    });

And In visitor_book_crud.php

    if ($request=="find_data"){
        $data_id = $_REQUEST['data_id'];

        $mqdata = mysql_query("SELECT * FROM tb_visitorbook WHERE id_vb = '$data_id'") or die (mysql_error());
        $mfadata = mysql_fetch_assoc($mqdata);
        if($mfadata){
            echo implode(",", $mfadata);
        } else {
            echo "failed"; 
        }
    }

I tried to directly send request to visitor_book.crud?request=find_data&data_id=1 and the output is like this, exactly same as what I want to be appeared in ajax response 1,2022-06-29,03:07:30,03:39:39,6,,A_NAME,3,,,SOME_NAME,,1,

But when I press edit button, it says

<br />
<b>Notice</b>:  Array to string conversion in <b>C:\xampp\htdocs\security_editless\visitor_book_crud.php</b> on line <b>48</b><br /> //line 48 is in mysql_query("SELECT......
failed

I searched from many thread but still dont solve my problem, any help would be appreciated

Ridho
  • 11
  • 5
  • **Warning:** `mysql_*` extension is deprecated as of PHP 5.5.0 (2013), and has been removed as of PHP 7.0.0 (2015). Instead, either the [mysqli](https://www.php.net/manual/en/book.mysqli.php) or [PDO_MySQL](https://www.php.net/manual/en/book.pdo.php) extension should be used. See also the [MySQL API Overview](https://www.php.net/manual/en/mysqlinfo.api.choosing.php) for further help while choosing a MySQL API. – Dharman Sep 17 '22 at 11:05
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/32391315) – Dharman Sep 17 '22 at 11:06
  • Dharman & Alon Eitan : thank you for the warning, I am still new in web building and sql, currently I am making software for local server. I know security holes in my software are very open, I tried to learn how to prevent sql injection but it looks complicated (with my current knowledge). so for now I'm still wondering about how to make the web display that I made simpler, because the coding I made is still very basic. (in other words, I am still new in web building but my company ask me to create one, I told my background but they said it's okay so... I just try my best) – Ridho Sep 19 '22 at 01:56

1 Answers1

0

First of all, you should do all the validation before sending the data from JS and also validate the data on the PHP side as well.

However noform = this.id.match(/\d+/); will give your an array. to get the number you'll have to use noform[0], also make sure you do the validation if any match found or not before using noform[0]

right now you're sending noform as data_id and your PHP is warning about it.

Vijay Hardaha
  • 2,411
  • 1
  • 7
  • 16
  • Thank you, It works!!, I didn't realized that I missed that one, I thought there's no problem about that (noform) – Ridho Sep 19 '22 at 02:09