0

I dont know why this is not working, its most simple and easy part of my project.
I know that its not made with PDO but i will redo it soon as i know whats wrong with it.

Code logic:
If user have taken order, accept.php changes status value from 0 to odottaa.
If second user takes same order before its being removed from the list, status=odottaa is TRUE and moves user back to kuljettaja.php


Currently if i run this file all i get is a blank answer from the database, no errors 
<?php
require "secure/secure.php"; // Require login to page to prevent usage if not logged in
include "secure/config.php"; // Using database connection file here
$id = $_GET['id']; // get id through query string
$request = mysqli_query($link,"SELECT status FROM tilauskanta WHERE id=$id"); // Ask status value

echo "$request"; //Test print value

if ($request == "Odottaa"){
     header("location:kuljettaja.php");
}
else{
     header("location:accept.php?id=$id");
}  
?>
Improve this question
1
  • mysqli_query doesn't fetch the result, also your open to SQL injections Commented May 24, 2021 at 0:35

2 Answers 2

Reset to default
2

First of all avoid using parameters in your queries, that are passed by the user, as that makes you susceptible to mysql injection. Use prepared statements instead.

Secondly, in order for header("Location") to work, it must be placed before anything else is printed on your page, like html, or (in your case) echo

Also you seem to be missing the actual fetching from the MySQL and instead are comparing the request, but since you are echoing it above, I guess you know what you are comparing...

If that is not your problem, then you will need to share a bit more about your log-in logic

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

I am not sure if he is passing around the ID of a user in a GET request, but if so, he should definitely replace that with $_SESSION
It's not unusual to use an id from the url, I know I do it all the time. Just use prepared statements or at least some other form of sanitizing.
than what is stopping someone from changing the &id=1234 in the URL to something like &id=4321 to login as someone else?
It doesn't, but I do not think we are using the id to login. Also OP said he will be changing the calls to PDO, so I'm guessing he will take a closer look to his SQL logic at a later time. PS: I'm quite sure he is checking an order id and getting it's status, which there is no real reason to be afraid of having someone accessing other IDs
ohh gotcha, in that case I would also use $_GET xD
1

Fetch data is required. Please change

if ($request == "Odottaa"){

to

$row = mysqli_fetch_assoc($request);

if ($row["status"]== "Odottaa"){

Please remove echo "$request"; and ALL other output statements from your script before the header statement so that header location can be executed.

on the other hand, please use parameterized prepared statement to avoid SQL injection

Improve this answer

1 Comment

fetch_all returns array, shouldnt it be if (isset($row[0]) && $row[0]["status"] === "Odottaa"){

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.