First off, because this is my first question, thanks to all the contributors, this community has helped me immensely as I've worked my way through the various issues I've encountered as I am a novice developer.
So the issue I'm facing is pretty odd to me. I've included the complete code below minus the html as it works fine. In the code I declare a couple of variables, the $userID which is set from the $_SESSION['user'] which is what I use to id the user currently logged in. This works on many other pages just fine. I also declare the $groupID variable which is set from the $queryString, the query string is simply the groupID passed from the previous page, nothing fancy. This issue I run into is when I try to run the buttons pay fee and or update team name.
For some reason the $userID is being passed properly but the $groupID is not. I know the syntax is correct because if I manually place a groupID in the query it works, however it does not when I try to call the $groupID variable. This seems to only happen when running an UPDATE query and works fine with INSERT and SELECT and DELETE but doesn't seem to want to work for UPDATE.
My question is, why would this happen, why can my code see one variable that has been declared but not the other? And why does it work in other types of queries but not this one? As I said I am new to this so there may be something to the UPDATE query that I don't yet understand. I appreciate any guidance you all may offer.
ob_start();
session_start();
require_once 'dbconnect.php';
// if session is not set this will redirect to login page
if( !isset($_SESSION['user']) ) {
header("Location: index.php");
exit;
}
// find out the domain:
$domain = $_SERVER['HTTP_HOST'];
// find out the path to the current file:
$path = $_SERVER['SCRIPT_NAME'];
// find out the QueryString:
$queryString = $_SERVER['QUERY_STRING'];
// put it all together:
$url = "http://" . $domain . $path . "?" . $queryString;
$groupID=$queryString;
$user=$_SESSION['user'];
$userID=$user;
$error=false;
// pay fee, in progress
if ( isset($_POST['btn-payfee']) ) {
if( !$error ) {
$query = "UPDATE membership SET paid = '1' WHERE userID='$userID' AND groupID='$groupID'";
$res9 = mysqli_query($con,$query);
if (!$res9) {
printf("Error: %s
", mysqli_error($con));
exit();
}
if ($res9) {
$errTyp = "success";
$errMSG = "Account successfully updated";
//header("Location: dashboard.php");
} else {
$errTyp = "danger";
$errMSG = "Something went wrong, try again later...";
}
}
}
// update team name
if ( isset($_POST['btn-updatename']) ) {
// clean user inputs to prevent sql injections
$teamName = trim($_POST['teamName']);
$teamName = strip_tags($teamName);
$teamName = htmlspecialchars($teamName);
// if there's no error, continue to signup
if( !$error ) {
$query = "UPDATE membership SET teamName='$teamName' WHERE userID='$userID' AND groupID='$groupID'";
$group = mysqli_query($con,$query);
if ($group) {
$errTyp = "success";
$errMSG = "Account successfully updated";
header("Location: fantasy-group.php?451f70f10dfab9b3b4a12683cef850a5");
} else {
$errTyp = "danger";
$errMSG = "Something went wrong, try again later...";
}
}
}
<!-- change team name -->
<div class="form-group">
<div class="input-group">
<form method="post" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>" autocomplete="on">
<label class="input-group mb-2 mr-sm-2 mb-sm-0" for="inlineFormInput">Team Name</label>
<div class="input-group">
<span class="input-group-addon"><span class="glyphicon glyphicon-user"></span></span>
<input type="text" name="teamName" class="form-control" placeholder="<?php echo $row2['teamName']; ?>" maxlength="32" / >
<button type="submit" class="btn btn-primary btn-sm" name="btn-updatename">Update Name</button>
</div>
</div>
<span class="text-danger"><?php echo $nameError; ?></span>
</div>
It looks like you're populating $groupId with the entire query string. You need the parameter from $_GET, $_POST or $_REQUEST. For example: $_GET['group_id'], $_POST['group_id'] or $_REQUEST['group_id'].
Also, you are trying to pass unfiltered, unescaped user input into a database query which is vulnerable to sql injection. You will want to look at prepared statements and also filtering your input. Example:
$groupID = filter_input(INPUT_POST, "group_id", FILTER_VALIDATE_INT);