unable to get value of ID in header location function

Question

Afternoon users, I have a comment function where I want to redirect users to the same page after posting a comment but the issue I am facing is that I am not able to get the value of the directed ID in the URL

Here is my code:

<?php
$ID     =   mysqli_real_escape_string($user, $_GET['ID']);
$tt     =   mysqli_real_escape_string($user, $_GET['tt']);  


if(isset($_POST['submit']))
{
    
$name        =   mysqli_real_escape_string($user, $_POST['name']);
$email       =   mysqli_real_escape_string($user, $_POST['email']);


    ///------------Do Validations-------------
    if(empty($name)||empty($email))
    {
        $errors .= "\n Name, Email are required fields. ";  
    }
    if(IsInjected($email))
    {
        $errors .= "\n Bad email value!";
    }
    if(empty($_SESSION['6_code'] ) ||
    
      strcasecmp($_SESSION['6_code'], $_POST['6_code']) != 0)
    {
    //Note: the captcha code is compared case insensitively.
    //if you want case sensitive match, update the check above to
    // strcmp()
        $errors .= "\n The captcha code does not match!";
    }
    
    if(empty($errors))
    {
        //send the email
$sql="INSERT INTO user_comments 
(name, email) VALUES('$name', '$email')";
$res    =   mysqli_query($user, $sql);

if($res) {
header("location:details.php?ID=$ID&tt=$tt");
         }  else   {
            $message = "Something went wrong. Please try again";
                   }
                   
                   
    }
}
?>

When I post the submit button it gives results like http://mywebsite.com/details.php?ID=&tt=

Why not give values of ID and tt in URL? Need help plz Thanks in advance

Where is the `$ID` variable coming from? I don't see it anywhere in your code, nor `$title`. You'll also have to URL-encode your message string rather than sending it with spaces embedded. You also need to use Prepared Statements instead of concatenating user-supplied strings into your query like that. — droopsnoot, Jul 05 '23 at 07:10
I have updated the code kindly check and thanks for the support — Faheem Ali, Jul 05 '23 at 07:25
You are processing a POST request there, so your form that you are submitting to this script, would need to contain GET parameters `id` and `title` in the URL in its `action` attribute already - which I doubt is actually the case. If you want to output the values of the parameters you included in that URL you are redirecting to - then you need to do that _outside_ of the `if(isset($_POST['submit']))` block, because that condition will of course not be true for the GET request the browser makes to follow your redirect. — CBroe, Jul 05 '23 at 07:32
they are already outside the if(isset($_POST['submit'])) block, yet not getting the values of ID and title in URL after positing the form. Results come like: http://mywebsite.com/details.php?ID= — Faheem Ali, Jul 05 '23 at 07:36
_"they are already outside the if(isset($_POST['submit'])) block"_ - I am talking about the `header` call in your code, and that is definitively _not_ outside of that if block. Plus, you wrapped it into `if($res)` - `$res` won't even exist, if you did not just make your database insert. — CBroe, Jul 05 '23 at 07:39
And you should rather not pass the message _text_ as URL parameter to begin with. Because, what would be stopping me from setting links to your site anywhere on the internet, and have them end with `...&title=Your Mother **cks **cks in hell` ...? (Don't worry, I'll apply proper URL encoding of course.) And then anyone clicking on such a link, would get _that_ message shown by _your_ site, which probably won't be too good for its reputation ... Pass a message _ID_ instead, and then use that ID to go look up the _text_ to show in an array or something. — CBroe, Jul 05 '23 at 07:45
can you please make updates to my code based on your suggestions? Actually, I am a learner so not that good at PHP — Faheem Ali, Jul 05 '23 at 07:47
**Warning:** Your code is vulnerable to SQL Injection attacks. You should use parameterised queries and prepared statements to help prevent attackers from compromising your database by using malicious input values. http://bobby-tables.com gives an explanation of the risks, as well as some examples of how to write your queries safely using PHP / mysqli. **Never** insert unparameterised data directly into your SQL. The way your code is written now, someone could easily steal, incorrectly change, or even delete your data. — ADyson, Jul 05 '23 at 07:52
https://phpdelusions.net/mysqli also contains good examples of writing safe SQL using mysqli. See also the [mysqli documentation](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) and this: [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) . Parameterising your queries will also greatly reduce the risk of accidental syntax errors as a result of un-escaped or incorrectly quoted input values. If you learnt your current technique from a tutorial or book, please don't use that resource again. — ADyson, Jul 05 '23 at 07:52
`Actually, I am a learner so not that good at PHP`...then this is a great opportunity to do some in-depth, practical learning. The best way to learn is by doing. Read the comments really carefully, then tackle each issue one at a time. If you get stuck on something particular, update your question with your attempt and your current problem. — ADyson, Jul 05 '23 at 07:53
Regarding your update: mysqli_real_escape_string is obsolete, and has been for 20 years. I don't know why you added that to your code. It does not protect you against everything. It seems you did not properly read the links I provided, which contain simple examples of the correct way to safely and reliably construct your SQL queries using PHP. — ADyson, Jul 05 '23 at 08:55

score 0 · Answer 1 · edited Jul 05 '23 at 07:49

<?php
if(isset($_POST['submit']))
{
    // It looks like you're trying to validate $name and $email variables, but they are not defined. 
    // You might want to get these from the $_POST array.

    $name = $_POST['name'];
    $email = $_POST['email'];

    $errors = "";

    ///------------Do Validations-------------
    if(empty($name) || empty($email))
    {
        $errors .= "\n Name, Email are required fields. ";  
    }
    if(IsInjected($email))
    {
        $errors .= "\n Bad email value!";
    }
    if(empty($_SESSION['6_letters_code']) || strcasecmp($_SESSION['6_letters_code'], $_POST['6_letters_code']) != 0)
    {
        $errors .= "\n The captcha code does not match!";
    }
    
    if(empty($errors))
    {
        //you also need to escape your inputs to prevent SQL Injection. Use mysqli_real_escape_string() function.
        $name = mysqli_real_escape_string($user, $name);
        $email = mysqli_real_escape_string($user, $email);

        //send the email
        $sql = "INSERT INTO Comments (name, email) VALUES('$name', '$email')";
        $res = mysqli_query($user, $sql);

        if($res) {
            // your redirect location syntax is wrong. It should be details.php?ID=...
            header("location:details.php?ID=$ID&title=$title&msgg=Your comment was posted and pending for approval.");
        }
    }
}
?>

Everything is working fine except the value of ID and title are not coming or showing in the URL. I want a solution at the Header location function only. Thanks — Faheem Ali, Jul 05 '23 at 07:33

unable to get value of ID in header location function

1 Answers1