-2

I'm trying to send a body as a query to a PHP script, but when I treat the information as "$query['param']", this information is returned as undefined.

The JavaScript code I'm using to send the information is as follows:

function insertNewRecord(data) {

    fetch('/configs/database/add.php', {
        method: 'POST',
        headers: {
          'Content-Type': 'application/x-www-form-urlencoded'
        },
        body: `name=${data.name}&contact=${data.contact}&delivery=${data.delivery}&value=${data.value}`
    })
    .then(function(response) {
        if (response.ok) {
            return response.text();
        }
        throw new Error('Error in the request.');
    })

    var table = document.getElementById("employeeList").getElementsByTagName('tbody')[0];
    var newRow = table.insertRow(table.length);
    cell1 = newRow.insertCell(0);
    cell1.innerHTML = data.name;
    cell2 = newRow.insertCell(1);
    cell2.innerHTML = data.contact;
    cell3 = newRow.insertCell(2);
    cell3.innerHTML = data.delivery;
    cell4 = newRow.insertCell(3);
    cell4.innerHTML = data.value;
    cell4 = newRow.insertCell(4);
    cell4.innerHTML = `<a onClick="onEdit(this)">Edit</a>
                       <a onClick="onDelete(this)">Delete</a>`;
}

And the PHP script I'm using to receive the request is as follows:

<?php 

    $protocol = ((!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off') || $_SERVER['SERVER_PORT'] == 443) ? "https://" : "http://";  
    $CurPageURL = $protocol . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];  
    $parts = parse_url($CurPageURL);

    if(count($parts) <= 3) return;

    parse_str($parts['query'], $query);

    $conn = OpenCon();

    $sql = "INSERT INTO users (name, contact, delivery, value) VALUES (" . $query['name'] . ", " . $query['contact'] . ", " . $query['delivery'] . ", " . $query['value'] . ")";
    $result = $conn->query($sql);

?>

What should I do/change to fix this problem? I'm trying to do a CRUD in PHP, but this problem has been disturbing my work and I'm not able to solve it myself.

Winchester
  • 1
  • 2
  • You're wide open to [SQL injection attacks](https://owasp.org/www-community/attacks/SQL_Injection)! Read [how to prevent SQL injection in PHP](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) by using prepared statements with bound parameters instead of injecting variables directly into your queries. It's not just about security. If your data contains, for example, a single quote `'`, your query will break. – M. Eriksson Jun 22 '23 at 06:19
  • _Side note:_ Unless all data you get are numeric values, your current query will break and throw errors since you're not quoting any of the values. That is also something you don't need to care about if you use prepared statements with placeholders, as suggested above. – M. Eriksson Jun 22 '23 at 06:22

1 Answers1

1

The data you are looking for is in $_POST but you use parse_str to read the values out of the URL. That is the problem in the code.

Check for post data in $_POST. Like $_POST["name"]. The form is POSTed and the data would only be in the URL if you did a fetch of a URL with all the details using the default GET method.

mplungjan
  • 169,008
  • 28
  • 173
  • 236
micah
  • 7,596
  • 10
  • 49
  • 90
  • As commented above, I wanted to get the results of the query. This answer was unfortunately not helpful. – Winchester Jun 22 '23 at 06:05
  • 1
    @Winchester that comment of yours is also not very helpful. We don't know what _exactly_ you did now, so we can't possibly tell if you might have simply done something _wrong_ either. Please edit your question and include what modifications you made. – CBroe Jun 22 '23 at 06:47
  • @Winchester Please read the updated answer. It was not clear to me before but the comments made it clear and they are now part of the answer – mplungjan Jun 22 '23 at 18:19