MowerQQ :
I'm trying to make a "reject" button, I can reject users' cards with and also store a message to my database that I'll show him on other page. My problem is, if I add the input value to my 'update' command, it stops working.
if(isset($_POST['reject'])){
$id = $_POST['rejecttext'];
$allowed = mysqli_query($conn," UPDATE cards SET visibility = '1', confirmed = '2', rejecttext = {$_POST['rejecttext']} WHERE id = '$id' ");
}
<form action="" method="POST">
<input value="<?php echo $record['id']; ?>" name="id" style="display: none;">
<input type="submit" class="btn btn-success" name="accept"/>
<input type="submit" class="btn btn-danger" name="reject"/>
<input type="text" id="rejecttext" name="rejecttext">
</form>
without this part rejecttext = {$_POST['rejecttext']} everything works fine.
porsekin :
You are missing quotes. Your query should look like this:
$allowed = mysqli_query($conn," UPDATE cards SET visibility = '1', confirmed = '2', rejecttext = '{$_POST['rejecttext']}' WHERE id = '$id' ");
As others have already mentioned, it is not really safe. You should consider using prepared statements:https://www.w3schools.com/php/php_mysql_prepared_statements.asp