Lets say I have a file called comments.php. In it I have a row like this:
$post_id = $_GET['id'];
$result = mysqli_query($con,"SELECT * FROM comments WHERE post_id = $post_id");
$post_id is the id of the actual entry.
If I echo $post_id it shows the entry's number, no problem there.
There's also a file called comment_send.php.
In it I want to send a comment, alongside with the id of the actual entry, so the comments will know where they belong to.
$post_id = $_GET['id'];
$result = mysqli_query($con,"SELECT * FROM comments WHERE post_id = $post_id");
$sql="INSERT INTO comments (comment, post_id) VALUES ('$_GET[comment]','$post_id')";
However, when I hit the submit button I get this: Notice: Undefined index: id
I dont understand the problem because in the comments.php everything works fine but if I move the same part into another file it fails. Does anyone know what my problem might be?
And yeah, the comment arrives in the database, with the number 0, instead of the entry number.
Your submitting data from the client to the server using a form, right? Check your action on your form. Is it POST (as it should be if you are updating your database)? If so, change $post_id = $_GET['id']; to $post_id = $_POST['id'];
As a troubleshooting tool, I typically add something like echo('<pre>'.print_r($_REQUEST,1).'</pre>'); to the top of my page. You can then find out what type of data you are sending to the server. Then when you get to your SQL statement, be sure to echo the query to see what it is.
Also, sanitize your data as you are open to SQL injection.
It doesn't look like you are passing 'id' to your comment_send.php page. Either pass it in with your comment, or save it as a $_SESSION variable on the previous page.
Related
Using a plugin I'm able to use PHP on page by using [insert_php] as a tag however, whenever I try using SQL it doesn't seem to work.
I tried using:
global $wpdb;
$prepared = $wpdb->get_row(
"SELECT SiteID, SiteName
FROM $wpdb->Site
WHERE SiteID = 1");
echo $prepared->SiteName;
echo "test";
All I'm getting is test on the page and I've tested to see if my sql statement was at fault and it seems to be working fine so I'm guessing there's an issue with $wpdb or the way I'm outputting the data.
WordPress.org has a lot of detailed information in their reference.
I think attempting to refer to $wpdb->Site is a likely suspect for why your code is not working. You will need to know the exact fields in the table to pull your information.
Here is a reference for the wp_site table. I think you're actually looking for the 'domain' field, not 'sitename'.
Try replacing $wpdb->Site with the actual name of the table. I also get errors like that at first since $wpdb->table_name only works with the default wp tables.
EDIT
It should be something like this:
SELECT SiteID, SiteName FROM Site WHERE SiteID = 1
<?php
if(isset($_POST['submit'])) {
$name = $_POST['name'];
$keywords = $_POST['keywords'];
$description = $_POST['description'];
$user_id = $_GET['user_id'];
?>
I have a web form that needs to recognize the users id #. I have it set up where $user_id = $_GET['user_id']; I also believe that I have the id retrieval code right. I made sure that the user_id matched my table but I keep getting an error that says that user_id is an unidentified index.
This means that user_id is not being sent in the headers; You are using both GET and POST in that code snippet, you can only send one at a time when doing a HTTP Request unless your form action has query string in it.
I believe what you could be doing is that on the page with your form, you have user_id set in the URL, however when that form is posted, you will loose all the query strings, so you need to do this;
<form action="/post.php?user_id=123" method="POST">
That should hopefully solve your issue.
did you change user_id retrieval to POST? it should be
$user_id = $_POST['user_id'];
if it still doesn't work check where you define the user_id for any typo errors.
Okay maybe i figure it out what do you want to point out. Do you want to get the user_id of a user that is already logged-in in your website/webpage, right? If so, then you must use this some code:
$_SESSION['user_id'] = $_POST['user_id'];
So that you can access the user's id wherever in the page. Hopes this helps.
Am fairly new to PHP and am making a basic CRUD style management system. I Have an update page and it displays data from a News table, and populates a form with it. The current picture ?(reference) is pulled through and displayed on the form. However if a user wants to change the picture they can press a 'delete' button and then I have written some PHP to display a upload button, set the values in the database for the image to null and hide the delete button, allowing the user to upload a new picture.
The Delete button only removes the reference (path) to the picture from the database, it doesn't delete the actual picture.
This is the HTML control to show the image and delete button. It also shows how the delete button works:
<td align="right">Image 1:</td>
<td align="left"><img src="uploads/newsimages/<?php echo $row["Image"]; ?>" width="230" border="0"> delete</td>
As you can see, when clicked it sets change=imagex and cid= the current news id.
There is then an if statement I have written, but it doesn't seem to only get activated when the delete button is clicked. Because I always get an error that 'cid' is undefined. It is as follows:
<?php
if (isset($_GET['change'] = "image1") {
$query = "UPDATE Table_Name SET Image = '' WHERE NewsID =".$_GET['cid']." ";
}
?>
I am pretty sure my lack of PHP knowledge is letting me down and I am trying to go about this the wrong way, because however I alter the if statement it always gives me an error. First it was cid is undefined so I changed to id but i already use that for something else, another query/function. I hope that all amde sense, can anyone tell me where Im going wrong?
You are missing a parenthesis + you have to specify individually:
if (isset($_GET['change'] = "image1") {
Change to:
if (isset($_GET['change']) && $_GET['change'] == "image1") {
Some more things to consider:
1) Don't use unsanitized values directly from $_GET in a mysql query
WHERE NewsID =".$_GET['cid']."
It is very easy to exploit this with some funky sql injection (see http://xkcd.com/327/ ).
If you are using numeric values for cid, you should cast your $_GET value to integer to prevent sql injection:
$cid = (int)$_GET['cid];
$query = '(...)WHERE NewsID = '.$cid.' limit 1';
Or even better:
$cid = (int)(array_key_exists('cid', $_GET) ? $_GET['cid'] : 0);
if ($cid) {
$query = (...)
}
If you need this kind of sanitizing in different places, you should think about writing a helper function for it to keep your code readable.
2) Don't use GET requests to change data on your server
Imagine a google bot browsing your site and following all those links that you use to delete images. Other scenarios involve users with prefetch plugins for their browsers (e.g. Fasterfox). Also, GET requests may be cached by proxies and browsers, so that the request won't hit the server if you click the link.
The HTTP specification comes with numerous request methods, the most important ones are:
GET to fetch content from the server
PUT to store new information on the server
POST to update existing information on the server
To update your news record (by removing the image) the appropriate method would be POST. To send a POST request, you can use the <form method="POST"> tag.
try this
<?php
if (isset($_GET['change']) && $_GET['change'] == "image1") {
$query = "UPDATE Table_Name SET Image = '' WHERE NewsID =".$_GET['cid']." ";
}
?>
I'm trying to use the Joomla framework to make a create in the main content table.[http://docs.joomla.org/How_to_use_the_JTable_class] This works fine except that some data comes from posted variables and some from logic that happens when a file is uploaded moments before (store the random image name of a jpg)
$data=&JRequest::get('post');
this takes a ref to the posted values and I want to add to this Array or Object my field. The code I have makes the new record but the column images, doesnt get my string inserted.
I am trying to do something like$data=&JRequest::get('post');
$newdata=(array)$data;
array_push($newdata,"images"=>"Dog");
i make newdata as data is a ref to the posted variables and i suspect wont there fore allow me to add values to $data.
I'm a flash guy normally not a php and my knowledge is letting me down here.
Thanks for any help
Right, first thing:
$data=&JRequest::get('post');
$data is an array, you do not have to cast it. To add another element to the array as described in the comments do this:
$data['images'] = 'cats';
If you are using normal SQL to do the insert then you would do something like this to get the last inserted id e.g. the id of the row you just inserted:
$db = $this->getDBO();
$query = 'Some sql';
$db->setQuery($query);
if (!$db->query()) {
JError::raiseWarning(100, 'Insert failed - '.$db->getErrorMsg());
}
$id = $db->insertid();
If you are developing in Joomla I suggest you use the db functions provided to you rather than mysql_insert_id();
[EDIT]
If you want to use store then you can get the last inserted id like so:
$row->bind($data);
$row->check();
$row->store();
$lastId = $row->id;
I need something simple; I have page where a user clicks an author to see the books associated with that author. On my page displaying the list of books for the author, I want a simple HTML title saying: 'The books for: AUTHORNAME'
I can get the page to display author ID but not the name. When the user clicks the link in the previous page of the author, it looks likes this:
<?php echo $row['authorname']?>
And then on the 'viewauthorbooks.php?author_id=23' I have declared this at the start:
$author_id = $_GET['author_id'];
$authorname = $_GET['authorname'];
And finally, 'The books for: AUTHORNAME, where it says AUTHORNAME, I have this:
echo $authorname
(With PHP tags, buts its not letting me put them in!) And this doesnt show anything, however if I change it to author_id, it displays the correct author ID that has been clicked, but its not exactly user friendly!! Can anyone help me out!
You could pull the author_id from the query string as you did using $_GET but beware you will need to validate what is coming through by the query. I hope you can see that without validation how bad of a security hole this is.
I am at work at the moment, but this is a quick example that should give you what you need without sanitizing your query.
$id = intval($_GET['author_id']);
// of course, perform more validation checks
// just don't assume its safe.
$sql = "SELECT authorname FROM authors_tb WHERE author_id=" . $id;
$result = mysql_query($sql);
while($row = mysql_fetch_array($result)) {
echo "The books for: " . $row['authorname'];
}
The reason why your approach wasn't working was because you utilize the $_GET URL parameter passing for author_name where you weren't supplying the parameters in the URL, just the author_id.
You don't send it in the query string, thus you can't get it from the $_GET array.
Just request it from the database using id.
An important note: Always use htmlspacialchars() when you display the data, coming from the client side.
This is because you do not define the author name in your get.
You should make the following your url:
<?php echo $row['authorname']?>
Or rather select the data from the database again, on the new page, using the ID you retrieved from the URI.
Author name won't be in $_GET. As your code stands, you only use it as the link title. It is no where in the address. Try this instead:
<?php echo $row['authorname']?>
It would be better to re-request it from the database using the author_id though.
EDIT:
To explain the problem in more detail. You have two pages, the new.php page and the viewauthorbooks.php page. You're sending users from the new page to the view page using the link you posted, right?
The problem with that is, your link assigns one variable in get. Here's the query string it would generate:
viewauthorbooks.php?author_id=13
What that will do is send the user to viewauthorbooks and place the value '13' in the $_GET variable: $_GET['author_id']. That is why the author_id is there and displays on viewauthorbooks. However, authorname is never passed to viewauthorbooks, it isn't in $_GET['authorname'] because you never set $_GET['authorname']. If you want it to be in $_GET, then you need your query string to look like this:
viewauthorbooks.php?author_id=13&authorname=bob
You can accomplish that using the new HTML code for the link I posted above. Look at it closely, there's a key difference from the one you have now.
However, it is generally discouraged to pass data through GET, because the query string is displayed to the user and it leaves you open to injection attacks. A better way to do this would be to use the author_id you are already passing to viewauthorbooks.php to retrieve the authorname from the database again. You can use the same code you used on the new.php page.