Thread: MySql Add to favorites - almost functional - help
View Single Post
Old 12-19-2009, 08:18 PM   #2 (permalink)
delayedinsanity
is cute and cuddly
 
delayedinsanity's Avatar
 
Join Date: Mar 2008
Location: Vegas, Baby
Posts: 963
Thanks: 31
delayedinsanity is on a distinguished road
Default
Can't completely debug this for you as it appears to me to be incomplete code (there are some values that don't have any assignments associated with them), but here's how I would rewrite it leaving your variable naming conventions in place.

The queries look okay, except for the fact that none of the data can be trusted. You forgot to escape the user based input coming from POST, and there are no checks to ensure the integrity or type of data being put back into the database. All this could be used to easily attack and manipulate your database server were this script to be on a live site.

There's a few other tips in the comments. Take a peek and see if it helps you get it back up and running;

php Code:
// This will help ensure that the values you are using are being set
echo 'DEBUG:<br />';
echo '$Id: ' . $Id . '<br />';
echo '$Current_Id: ' . $Current_Id . '<br />';
echo '<pre>' . var_dump( $_POST ) . '</pre>';
echo '<br />';

echo '<div class="video_post_bottom">';
echo '<div class="favorit">';
// You don't need to add the action if it's posting back to itself
echo '<form action="" method="post" class="favorites">';
echo '<input type="image" src="Images/Favorites.png" name="FAV" value="" />';
echo '<input type="hidden" name="FAV_Id" value="' . $Id . '">';
echo '</form></div>';

if ( isset( $_POST['FAV'] ) ) {
    // You should do some error checks here, ensure that your value is numeric, or a string, or a certain length...

    echo '<p>isset _POSTFAV</p>';
    $Video_Id = mysql_escape_string( $_POST['FAV_Id'] ); // Never use unescaped input values in an SQL query!

    // While the method of formatting your SQL statements is purely up to you, this method can ensure further data
    // integrity. Good SQL practice also involves never selecting more columns than you need, SELECT * should
    // be avoided whenever possible (and its always possible)
    $query7 = sprintf( "SELECT Video_Id FROM Favorites WHERE Video_Id = '%d' AND User_Id = '%s' LIMIT 1", $Video_Id, $Current_Id );
    echo '<p>SELECT * FROM FAVORITES</p>';

    $result_C = mysql_query( $query7 );

    // We don't need to loop through the results, or even fetch them since we know that if
    // no results were returned, the record wasn't found.
    if ( ! $result_C ) {
        echo '<p>INSERT INTO Favorites</p>';
        $query = sprintf( "INSERT INTO Favorites (Video_Id, User_Id) VALUES ('%d', '%s')", $Video_Id, $Current_Id );
        $result = mysql_query( $query );
        echo '<p>' . $Title . ' has been added to your favorites</p>'; // Not sure where $Title is coming from?
    }
    else { // No need to compare again here, if the row was found, it's in there
        echo '<p> THIS IS ALREADY IN YOUR FAVOURITES </p>';
    }

}

echo '<div class="comments"><a href="Comment/Comment.php?V_Id=' . $Id . '"><img src="Images/Comments.png"></a></div>';
echo '</div>';
delayedinsanity is offline   		Reply With Quote