fmax Posted March 14 Share Posted March 14 Dear All In a web application for delete, I am using a different way rather than deleting record directly. In future admin can check who has deleted through collected login details. To achieve this i have created a column named COMPANY_STATUS instead of deleting i will change status to "N". The below code works fine in local machine but not working in web server. It is getting stuck at if(mysqli_query($con,$sql)){} Code is a below <?php if (isset($_GET['COMPANY_ID'])) { include('dataconn/connection.php'); $id = $_GET['COMPANY_ID']; $PCompanySts = "N"; $sql = "UPDATE `MASTER_COMPANY` SET `COMPANY_STATUS`='$PCompanySts' WHERE COMPANY_ID='$id'"; if(mysqli_query($con,$sql)){ session_start(); $_SESSION["delete"] = "Company Deleted Successfully!"; header("Location: /Companyindex.php"); }else{ die("Something went wrong"); } }else{ echo "Company does not exist"; } Can someone guide me, what am i doing wrong Quote Link to comment Share on other sites More sharing options...
Barand Posted March 14 Share Posted March 14 Have you got php error reporting turned on? mysqli error reporting turned on? Have you checked error logs (on web server errors should be logged and not reported)? 1 Quote Link to comment Share on other sites More sharing options...
ginerjm Posted March 14 Share Posted March 14 You say you are getting stuck at a certain line. What does stuck mean? Error message? No response from script? Quote Link to comment Share on other sites More sharing options...
Solution fmax Posted March 15 Author Solution Share Posted March 15 5 hours ago, ginerjm said: You say you are getting stuck at a certain line. What does stuck mean? Error message? No response from script? Its No Response from script. Quote Link to comment Share on other sites More sharing options...
Danishhafeez Posted March 15 Share Posted March 15 It seems like your code is vulnerable to SQL injection, which could be causing issues, especially when running on the web server. It's always essential to sanitize user inputs to prevent such vulnerabilities. <?php if (isset($_GET['COMPANY_ID'])) { include('dataconn/connection.php'); // Prepare an update statement $sql = "UPDATE `MASTER_COMPANY` SET `COMPANY_STATUS`=? WHERE `COMPANY_ID`=?"; // Attempt to prepare the SQL statement if ($stmt = mysqli_prepare($con, $sql)) { // Bind variables to the prepared statement as parameters mysqli_stmt_bind_param($stmt, "si", $PCompanySts, $id); // Set parameters $id = $_GET['COMPANY_ID']; $PCompanySts = "N"; // Attempt to execute the prepared statement if(mysqli_stmt_execute($stmt)) { session_start(); $_SESSION["delete"] = "Company Deleted Successfully!"; header("Location: /Companyindex.php"); exit(); } else { echo "Something went wrong"; } // Close statement mysqli_stmt_close($stmt); } else { echo "Error: Unable to prepare SQL statement."; } // Close connection mysqli_close($con); } else { echo "Company does not exist"; } ?> In this code: We're using prepared statements to safely execute the SQL query. User inputs are sanitized through parameter binding, reducing the risk of SQL injection. I've added exit() after the redirect header to ensure that no further code is executed after the redirection. Best Regard Danish Hafeez | QA Assistant ICTInnovations 1 Quote Link to comment Share on other sites More sharing options...
gizmola Posted March 15 Share Posted March 15 A couple of things: A way to mitigate the potential for sql injection (even if this is a backoffice tool) would be to cast the company id parameter to integer. $id = (int)$_GET['COMPANY_ID']; See Danish's post to you for some helpful improvements. Indeed you should use bound parameters as shown. With that said, it's not relevant to your script not working. Also omit the ending tag in your php scripts. ( ?> ) . Just scanning the code provided, it seems likely there is an issue with the database connection on the production server. You didn't provide that code but you probably aren't catching connection errors in dataconn/connection.php 1 Quote Link to comment Share on other sites More sharing options...
fmax Posted March 16 Author Share Posted March 16 On 3/15/2024 at 12:22 AM, Barand said: Have you got php error reporting turned on? mysqli error reporting turned on? Have you checked error logs (on web server errors should be logged and not reported)? Thank you Barand for a reply, Yes i just turned on and it popped connection issue of PATH and i have sorted it out using code of Danishhafeez Quote Link to comment Share on other sites More sharing options...
fmax Posted March 16 Author Share Posted March 16 On 3/15/2024 at 10:17 AM, Danishhafeez said: It seems like your code is vulnerable to SQL injection, which could be causing issues, especially when running on the web server. It's always essential to sanitize user inputs to prevent such vulnerabilities. <?php if (isset($_GET['COMPANY_ID'])) { include('dataconn/connection.php'); // Prepare an update statement $sql = "UPDATE `MASTER_COMPANY` SET `COMPANY_STATUS`=? WHERE `COMPANY_ID`=?"; // Attempt to prepare the SQL statement if ($stmt = mysqli_prepare($con, $sql)) { // Bind variables to the prepared statement as parameters mysqli_stmt_bind_param($stmt, "si", $PCompanySts, $id); // Set parameters $id = $_GET['COMPANY_ID']; $PCompanySts = "N"; // Attempt to execute the prepared statement if(mysqli_stmt_execute($stmt)) { session_start(); $_SESSION["delete"] = "Company Deleted Successfully!"; header("Location: /Companyindex.php"); exit(); } else { echo "Something went wrong"; } // Close statement mysqli_stmt_close($stmt); } else { echo "Error: Unable to prepare SQL statement."; } // Close connection mysqli_close($con); } else { echo "Company does not exist"; } ?> In this code: We're using prepared statements to safely execute the SQL query. User inputs are sanitized through parameter binding, reducing the risk of SQL injection. I've added exit() after the redirect header to ensure that no further code is executed after the redirection. Best Regard Danish Hafeez | QA Assistant ICTInnovations Thank you Danish Hafeez for your reply and giving me your valuable advice, I have turned on error reporting and it popped path of db connection php file. I have used your code but it updated all 8 records but i have kept your advice in mind of preparing statement and parameter binding to solve the issue :) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.