PHP Code working in local machine - But not working in webserver

[fmax]

Dear All

In a web application for delete, I am using a different way rather than deleting record directly. In future admin can check who has deleted through collected login details. To achieve this i have created a column named COMPANY_STATUS instead of deleting i will change status to "N". The below code works fine in local machine but not working in web server. It is getting stuck at if(mysqli_query($con,$sql)){}

Code is a below

<?php

          if (isset($_GET['COMPANY_ID'])) {
               include('dataconn/connection.php');
               $id = $_GET['COMPANY_ID'];
               $PCompanySts = "N";
               $sql = "UPDATE `MASTER_COMPANY` SET `COMPANY_STATUS`='$PCompanySts' WHERE COMPANY_ID='$id'";
               if(mysqli_query($con,$sql)){
                         session_start();
                         $_SESSION["delete"] = "Company Deleted Successfully!";
                         header("Location: /Companyindex.php");
               }else{
                         die("Something went wrong");
                         }
              }else{
                             echo "Company does not exist";
             }

Can someone guide me, what am i doing wrong

[Barand]

Have you got

• php error reporting turned on?
• mysqli error reporting turned on?

Have you checked error logs (on web server errors should be logged and not reported)?

[ginerjm]

You say you are getting  stuck at a certain line.  What does stuck mean?  Error message?  No response from script? 

[fmax]

5 hours ago, ginerjm said:

You say you are getting  stuck at a certain line.  What does stuck mean?  Error message?  No response from script? 

Its No Response from script.

[Danishhafeez]

It seems like your code is vulnerable to SQL injection, which could be causing issues, especially when running on the web server. It's always essential to sanitize user inputs to prevent such vulnerabilities.

<?php

if (isset($_GET['COMPANY_ID'])) {
    include('dataconn/connection.php');
    
    // Prepare an update statement
    $sql = "UPDATE `MASTER_COMPANY` SET `COMPANY_STATUS`=? WHERE `COMPANY_ID`=?";
    
    // Attempt to prepare the SQL statement
    if ($stmt = mysqli_prepare($con, $sql)) {
        // Bind variables to the prepared statement as parameters
        mysqli_stmt_bind_param($stmt, "si", $PCompanySts, $id);
        
        // Set parameters
        $id = $_GET['COMPANY_ID'];
        $PCompanySts = "N";
        
        // Attempt to execute the prepared statement
        if(mysqli_stmt_execute($stmt)) {
            session_start();
            $_SESSION["delete"] = "Company Deleted Successfully!";
            header("Location: /Companyindex.php");
            exit();
        } else {
            echo "Something went wrong";
        }

        // Close statement
        mysqli_stmt_close($stmt);
    } else {
        echo "Error: Unable to prepare SQL statement.";
    }

    // Close connection
    mysqli_close($con);
} else {
    echo "Company does not exist";
}
?>

In this code:

We're using prepared statements to safely execute the SQL query.

User inputs are sanitized through parameter binding, reducing the risk of SQL injection.

I've added exit() after the redirect header to ensure that no further code is executed after the redirection.

 

Best Regard

Danish Hafeez | QA Assistant

ICTInnovations

[gizmola]

A couple of things:

• A way to mitigate the potential for sql injection (even if this is a backoffice tool) would be to cast the company id parameter to integer.
  • $id = (int)$_GET['COMPANY_ID'];
• See Danish's post to you for some helpful improvements.  Indeed you should use bound parameters as shown.  With that said, it's not relevant to your script not working.
  • Also omit the ending tag in your php scripts. (  ?> ) . 
• Just scanning the code provided, it seems likely there is an issue with the database connection on the production server.
  • You didn't provide that code but you probably aren't catching connection errors in dataconn/connection.php

[fmax]

On 3/15/2024 at 12:22 AM, Barand said:

Have you got

• php error reporting turned on?
• mysqli error reporting turned on?

Have you checked error logs (on web server errors should be logged and not reported)?

Thank you Barand for a reply, Yes i just turned on and it popped connection issue of PATH and i have sorted it out using code of Danishhafeez

[fmax]

On 3/15/2024 at 10:17 AM, Danishhafeez said:

It seems like your code is vulnerable to SQL injection, which could be causing issues, especially when running on the web server. It's always essential to sanitize user inputs to prevent such vulnerabilities.

<?php

if (isset($_GET['COMPANY_ID'])) {
    include('dataconn/connection.php');
    
    // Prepare an update statement
    $sql = "UPDATE `MASTER_COMPANY` SET `COMPANY_STATUS`=? WHERE `COMPANY_ID`=?";
    
    // Attempt to prepare the SQL statement
    if ($stmt = mysqli_prepare($con, $sql)) {
        // Bind variables to the prepared statement as parameters
        mysqli_stmt_bind_param($stmt, "si", $PCompanySts, $id);
        
        // Set parameters
        $id = $_GET['COMPANY_ID'];
        $PCompanySts = "N";
        
        // Attempt to execute the prepared statement
        if(mysqli_stmt_execute($stmt)) {
            session_start();
            $_SESSION["delete"] = "Company Deleted Successfully!";
            header("Location: /Companyindex.php");
            exit();
        } else {
            echo "Something went wrong";
        }

        // Close statement
        mysqli_stmt_close($stmt);
    } else {
        echo "Error: Unable to prepare SQL statement.";
    }

    // Close connection
    mysqli_close($con);
} else {
    echo "Company does not exist";
}
?>

In this code:

We're using prepared statements to safely execute the SQL query.

User inputs are sanitized through parameter binding, reducing the risk of SQL injection.

I've added exit() after the redirect header to ensure that no further code is executed after the redirection.

 

Best Regard

Danish Hafeez | QA Assistant

ICTInnovations

Thank you Danish Hafeez for your reply and giving me your valuable advice, I have turned on error reporting and it popped path of db connection php file. I have used your code but it updated all 8 records but i have kept your advice in mind of preparing statement and parameter binding to solve the issue :)