How do i get a variable from the url to work in a query? PHP
Question
The URL is in the format http://alexhillshs.ipto.com.au/11%20Digital%20Solutions/trout/Movie.php?movie=1938 . But I'm able to get the movie id from the URL (1938 in this case) to work in the SQL query ($query) below, even though the movie id variable works correctly in the rest of the webpage.
<div class="card">
<h2>Write a Review</h2>
<form action="<?php echo $_SERVER["PHP_SELF"]; ?>" method="post" target="hiddenFrame" id="myForm">
<label><b>Rating Out of 10</b></label>
<input type="float" name="val1" placeholder="Enter Rating Out of 10">
<label><b>Review</b></label>
<textarea rows="10" type="text" name="val2" placeholder="Enter" class="RevForm"></textarea>
<iframe name="hiddenFrame" class="hide"></iframe>
<input type="submit" name="submit" value="Submit Review" class="registerbtn">
</form>
<?php
$movieid = $_GET["movie"];
print $movieid;
$conn = new mysqli("localhost","<username>","<password>","<database>") or die(mysqli_error($conn));
if (isset($_POST["submit"])) {
$val1 = $_POST["val1"];
$val2 = $_POST["val2"];
$user1 = $_SESSION["id"];
$idmov = $_SERVER['QUERY_STRING'];
$query = mysqli_query($conn, "INSERT INTO Mem_Reviews (Rating, Review, Mem_ID, Movie_ID) VALUES ('$val1', '$val2', '$user1', '$movieid')") or die(mysqli_error($conn));
}
?>
</div>
1 answers
solution1
0 2020-03-30 08:23:12
So basically you should never trust user input. This includes url parameters. Your code is security critical in several places at once.
First you should have a look at your form. As in the comments mentioned, you never submit the movie id in your form. That 's the reason you can access it in your php code after submitting the form.
So basically you should test, if there 'sa movie id in the url parameters before outputting the form.
<?php
// parameters you need for the form before the html form
$movieID = isset($_GET['movie']) ? intval($_GET['movie']) : 0;
?>
This line of code checks if there is a GET parameter with the name movie and validates it as an integer value. If there isn 'ta GET parameter with the name movie the movie id will be 0.
After that output your form as html.
<form id="myForm" method="post" action="<?= $_SERVER['PHP_SELF'] ?>" target="iframe">
<label>
rating out of 10
<input type="number" step=".1" min="0" max="10" name="val1" placeholder="enter rating out of 10">
</label>
<label>
review
<textarea rows="10" type="text" name="val2" placeholder="enter your review"></textarea>
</label>
<iframe name="iframe" class="hide"></iframe>
<input type="hidden" name="movie" value="<?= htmlentities($movieID) ?>">
<input type="submit" name="submit" value="submit review">
</form>
After that your movie id will be present with every form submission as $_POST['movie'] .
Let us have a look at your PHP code, when the form was submitted. Your sql query is vulnerable and wide open for sql injection. One could easily read out or delete your database. Please use prepared statements , when you deal with user generated content.
<?php
// establish a mysqli database connection
$mysqli = new mysqli("example.com", "user", "password", "database");
if ($mysqli->connect_errno) {
echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
}
// initialize a prepared statement for your query
if (!($stmt = $mysqli->prepare("INSERT INTO Mem_Reviews (Rating, Review, Mem_ID, Movie_ID) VALUES (?, ?, ?, ?)"))) {
echo "Prepare failed: (" . $mysqli->errno . ") " . $mysqli->error;
}
// bind your parameters to your mysqli statement
if (!$stmt->bind_param("dssi", $_POST['val1'], $_POST['val2'], $_SESSION['id'], $_POST['movie']) {
echo "Binding parameters failed: (" . $stmt->errno . ") " . $stmt->error;
}
// a prepare is always followed by an execute
if (!$stmt->execute()) {
echo "Execute failed: (" . $stmt->errno . ") " . $stmt->error;
}
That 's all. This should solve your problems.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.