0 
<?php header('Access-Control-Allow-Origin: *'); header("Access-Control-Allow-Headers : Content-Type"); include_once("db_connect.php"); if(isset($_GET["u"])){ $username = $_GET['u']; } else { echo "No UserName"; exit(); } if(isset($_GET["v"])){ $video= $_GET['v']; } else { echo "No Video ID"; exit(); } if(isset($_GET["like"])){ $like = $_GET["like"]; } else { echo "No Like Parameter added."; } $sql = "SELECT * FROM rating WHERE video='$video' LIMIT 1"; $video_query = mysqli_query($db_connection, $sql); $numrows = mysqli_num_rows($video_query); if($numrows < 1){ $sql = "INSERT INTO rating (video,username) VALUES ('$video','$username')"; $video_query = mysqli_query($db_connection, $sql); } if(isset($_GET['like'])){ $counter = (int)$_GET["like"]; if($counter > 5 || $counter < 1){ echo "Rating Seems To Be Off?"; exit(); } $sql = "UPDATE rating SET like='$counter' WHERE video='$video' AND username='$username'"; $video_query = mysqli_query($db_connection, $sql); echo "Voted"; }else { echo "No Parameter to Vote was applied"; exit(); } ?>

Basically how I am writing the GETs are

?u=USERNAME&v=video0009&like=4

I want the like=4 to then update the INT from where the Video and Username match. Though it keeps staying at 0.

Also Keeping these as INT will that make it so that later I can count these together with mysqli_fetch_assoc ? just curious

Improve this question

2 Answers 2

Reset to default
2

like is a mysql reserved word so you need to quote them using back ticks.

Replace your query: 

$sql = "UPDATE rating SET like='$counter' WHERE video='$video' AND username='$username'";

with:

$sql = "UPDATE rating SET `like`='$counter' WHERE video='$video' AND username='$username'";

There are several other recommendations for your code. First and probably the most important is SQL Injection. Please read on SQL Injection here. Have a look on how you can implement mysqli_real_escape_string. You are passing raw input directly into your database.

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

Oh no wonder why. ok so I will change this and see if it works. IF so thank you!
Since I am new to this all, I tried reading the SQL injection and not sure what you mean.
@EasyBB, on SQL Injection, have a read on owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet, as it describes the prevention options.
Oh so basically he is saying using preg_replace(#[a-z0-9]#i,$_GET['u']); to sanitize it and prevent injections? I'm not sure really if I would need mysqli_real_escape_string or is that better than preg_replace?
Stop using regular sql statements and start using prepared statements. See net.tutsplus.com/tutorials/php/… & php.net/manual/en/mysqlinfo.api.choosing.php
|
0

1 like is mySql reserved keyword

2 your code is vulnerable to sql injection 

$video= $_GET['v']; $sql = "SELECT * FROM rating WHERE video='$video' LIMIT 1";

Warning : you are using Mysqli it doesn't mean you eliminated risk of Sql Injection your code is still vulnerable to sql injection you need to escape all get, post and request and the better approach will be using Prepared statement

Good Read

  1. How to prevent SQL injection in PHP?
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.