0

I'm building a simple bug tracker tool.

When you've created a project, you can select a project status (open, in progress, finished).

You can change this status on the project page with this select form, : 

<form action="classes/changestatus.class.php" method="post">
    <label> Change Project Status </label>
    <select name="status" id="status">
        <option value="open">Open</option>
        <option value="inprogress">In Progress</option>
        <option value="finished">Finished</option>
    </select>
    <input class="small button" value="Change Status" type="submit"> 
</form>

The form posts the action to this class: 

     $status = $_POST['status'];    
     $sql = "UPDATE INTO projects ( status ) VALUES ('$status')";    
     $result = mysql_query( $sql ); 
     $result = mysql_real_escape_string( $sql );     
     $latestID = mysql_insert_id();

     if ( $result ) {
         header('Location: ../projectpage.php?id='.$latestID); 
     } else { 
         echo "There is something wrong. Try again later.";
     }

     mysql_close();

So, when you submit the form it will run the query above and go back to the project page, with the changed project status, but this doesn't work. I always get redirected to the wrong project page and the data doesn't update in the mysql table.

The problem is that I can't get the id, when I have this link for example 'projectpage?id=20', it always redirects me to 'projectpage?id=0'.

Can anyone help me ? I know the code isn't fully sql injection proof and I don't use mysqli, I just like to have an anwser on my question.

Thanks!

Improve this question
3
  • 4
    and your code is vulnerable to SQL INJECTION either properly escape all request or use prepared statements Commented Aug 9, 2013 at 7:00
  • Not to mention $result = mysql_real_escape_string($sql); will ALWAYS return true... Commented Aug 9, 2013 at 7:02
  • Please, please, please, please: Stop using mysql_* functions, the entire extension is deprecated and will be removed in the near future. Learn how to use PDO or mysqli_* (the i is for improved). Could you explain why you're first calling mysql_query, and then call mysql_real_escape_string? Because that makes no sense at all Commented Aug 9, 2013 at 7:07

3 Answers 3

Reset to default
2

You're not keeping the $id so the this data isn't being transferred. on your form use:

<input type='hidden' name='hdnID' value="<?php echo $id;?>"> 
<input class="small button" value="Change Status" type="submit">

Then on your form use:

$status = $_POST['status'];
$id = $_POST['hdnID'];
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Try This,

$sql="UPDATE projects SET status = '$status', id = LAST_INSERT_ID(id)"; 
$latestID = mysql_insert_id();

It will works for you.

Improve this answer

Comments

0

Use

$sql="UPDATE projects SET status = '$status'";

And mysql_insert_id will only work when an INSERT query is executed.You need an id to update it or either to redirect it...If you are giving id then you can do like

$sql="UPDATE projects SET status = '$status' WHERE id = $id";

And redirection will be like

header('Location: ../projectpage.php?id='.$id);
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.