MySql Add to favorites - almost functional - help

micma909 · 12-19-2009, 07:26 PM

Hello talkphp members,

I am very very new to php and mysql, and i have a problem.

Problem: I am buiding a simple embedd youtube-link site (school project) and i cant get my "add to favorites"-php to throw any values into my database. In my opinion the php below should work, i cant find any errors and i am completely blinded by now - why wont this work?

Additional things you need to know:

this lies in a while loop that grabs the $Id.
$Current_Id is from sessions id.

There was a point in time where this worked. please help me.

------------------------------------------------------------

print "<div class='video_post_bottom'>";//BOTTOM
print "<div class='favorit'><form action='Main4.php' method='post' class='favorites'><input type='image' src='Images/Favorites.png' name='FAV' value=''/><input type='hidden' name='FAV_Id' value='$Id'></form></div>"; //"Favorites" - BUTTON

//ADD TO FAVORITES
if (isset($_POST['FAV']))
{
print"<p>isset _POSTFAV</p>";
$Video_Id = $_POST['FAV_Id'];

$query7 ="SELECT * FROM Favorites WHERE '$Video_Id' = Favorites.Video_Id AND '$Current_Id' = User_Id";
$result_C = mysql_query($query7);
print"<p>SELECT * FROM FAVORITES</p>";

while ($row7 = mysql_fetch_array($result_C)) {
$favorite = $row7['Video_Id'];
print"<p>favorite = row7Video_Id</p>";
}

If(!$favorite)//not favorite yet?
{
$query = "INSERT INTO Favorites (User_Id, Video_Id) VALUES ('$Current_Id', '$Video_Id ')";
print"<p>INSERT INTO Favorites</p>";

$result_C = mysql_query($query);
print "<p> $Title has been added to your favorites</p>";

unset($_POST['FAV']);
}
else if($favorite && $Video_Id == $Id) //if voted has value
{
print "<p> THIS IS ALREADY IN YOUR FAVOURITES </p>";
}
}

print"<div class='comments'><a href='../Comment/Comment.php?V_Id=$Id'><img src='Images/Comments.png'></a></div>";//COMMENTS
print "</div>";

delayedinsanity · 12-19-2009, 08:18 PM

Can't completely debug this for you as it appears to me to be incomplete code (there are some values that don't have any assignments associated with them), but here's how I would rewrite it leaving your variable naming conventions in place.

The queries look okay, except for the fact that none of the data can be trusted. You forgot to escape the user based input coming from POST, and there are no checks to ensure the integrity or type of data being put back into the database. All this could be used to easily attack and manipulate your database server were this script to be on a live site.

There's a few other tips in the comments. Take a peek and see if it helps you get it back up and running;

php Code:

// This will help ensure that the values you are using are being set
echo 'DEBUG:<br />';
echo '$Id: ' . $Id . '<br />';
echo '$Current_Id: ' . $Current_Id . '<br />';
echo '<pre>' . var_dump( $_POST ) . '</pre>';
echo '<br />';

echo '<div class="video_post_bottom">';
echo '<div class="favorit">';
// You don't need to add the action if it's posting back to itself
echo '<form action="" method="post" class="favorites">';
echo '<input type="image" src="Images/Favorites.png" name="FAV" value="" />';
echo '<input type="hidden" name="FAV_Id" value="' . $Id . '">';
echo '</form></div>';

if ( isset( $_POST['FAV'] ) ) {
    // You should do some error checks here, ensure that your value is numeric, or a string, or a certain length...

    echo '<p>isset _POSTFAV</p>';
    $Video_Id = mysql_escape_string( $_POST['FAV_Id'] ); // Never use unescaped input values in an SQL query!

    // While the method of formatting your SQL statements is purely up to you, this method can ensure further data
    // integrity. Good SQL practice also involves never selecting more columns than you need, SELECT * should
    // be avoided whenever possible (and its always possible)
    $query7 = sprintf( "SELECT Video_Id FROM Favorites WHERE Video_Id = '%d' AND User_Id = '%s' LIMIT 1", $Video_Id, $Current_Id );
    echo '<p>SELECT * FROM FAVORITES</p>';

    $result_C = mysql_query( $query7 );

    // We don't need to loop through the results, or even fetch them since we know that if
    // no results were returned, the record wasn't found.
    if ( ! $result_C ) {
        echo '<p>INSERT INTO Favorites</p>';
        $query = sprintf( "INSERT INTO Favorites (Video_Id, User_Id) VALUES ('%d', '%s')", $Video_Id, $Current_Id );
        $result = mysql_query( $query );
        echo '<p>' . $Title . ' has been added to your favorites</p>'; // Not sure where $Title is coming from?
    }
    else { // No need to compare again here, if the row was found, it's in there
        echo '<p> THIS IS ALREADY IN YOUR FAVOURITES </p>';
    }

}

echo '<div class="comments"><a href="Comment/Comment.php?V_Id=' . $Id . '"><img src="Images/Comments.png"></a></div>';
echo '</div>';