-1

please help me. I have a very small issue but i am not able to solve this... I am doing a rating system on php. whenever i submit the form the rating value always inserts as 1..I have checked everything but couldnot solve it. Here is the database

Here is the HTML Form

<form action="includes/review-script.php" method="post">
    <input type="hidden" name="order_id" value="<?php echo $query_fetch->order_id; ?>">
    <div class="modal-content">
        <div class="modal-header">
            <h3 class="modal-title has-icon ms-icon-round ">Add Review</h3>
            <button type="button" class="close" data-dismiss="modal" aria-label="Close"><span aria-hidden="true">&times;</span></button>
        </div>
        <div class="modal-body">
            <div class="col-xl-12 col-md-12 col-sm-12">
                <input name="rating" id="review_rating" value="0" type="hidden" class="rating" data-min=0 data-max=5 data-step=1 data-size="xs">
                    <div class="star-ratings-sprite" style="float: left;margin-bottom: 10px;">
                        <span style="" id="review_rating_show" class="star-ratings-sprite-rating"></span>
                    </div>
            </div>
            <div class="ms-form-group has-icon">
                <textarea name="review" class="form-control" placeholder="Write a review"></textarea>
            </div>
        </div>
        <div class="modal-footer">
            <button type="submit" name="submit" class="btn btn-primary shadow-none">Submit</button>
        </div>
    </div>
</form>

And here is php script..

<?php
if(isset($_POST['submit']))
{
    $order_id = filter_var(htmlentities($_POST['order_id']),FILTER_SANITIZE_STRING);
    $rating = filter_var(htmlentities($_POST['rating']),FILTER_SANITIZE_NUMBER_INT);
    $user_id = $_SESSION['user_id'];
    $review = filter_var(htmlentities($_POST['review']),FILTER_SANITIZE_STRING);
    $create_date = date("F d, yy");

    $query = "SELECT * from product_ratings WHERE order_id = '".$order_id."' AND user_id = '".$user_id."'";
    $rating = $conn->prepare($query);
    $rating->execute();

    if($rating -> rowCount() > 0) {
        header ("Location: //localhost/Aahar-food-delivery/my-orders.php?error=rating");
        exit();
    }
    else
    {
        $sql = "INSERT INTO product_ratings(user_id, order_id, rating, review, create_date) VALUES(:user_id, :order_id, :rating, :review, :create_date)";
        if($stmt = $conn->prepare($sql)){

            $stmt->bindParam(":user_id", $user_id, PDO::PARAM_STR);
            $stmt->bindParam(":order_id", $order_id, PDO::PARAM_STR);
            $stmt->bindParam(":rating", $rating, PDO::PARAM_INT);
            $stmt->bindParam(":review", $review, PDO::PARAM_STR);
            $stmt->bindParam(":create_date", $create_date, PDO::PARAM_STR);
        
            // Attempt to execute the prepared statement
            if($stmt->execute()){
                // Redirect to login page
                header ("Location: //localhost/Aahar-food-delivery/my-orders.php?review=success");
            } else{
                echo "ERROR: Could not able to execute $sql. " . $e->getMessage();
                header('Refresh:1;url=review-script.php');
            }

            // Close statement
            unset($stmt);
        }
    }
}
?>
RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
Debraz
  • 1
  • 1
  • 1
    Your script is open to [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) You should consider using [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either the `MYSQLI_` or `PDO` API's instead of concatenated values – RiggsFolly Jul 14 '20 at 16:24
  • @RiggsFolly Ok thanks..but can u please help me in this problem – Debraz Jul 14 '20 at 16:26
  • 1
    PS There is no point preparing a concatenated query without any parameter placeholders, the damage is already dont – RiggsFolly Jul 14 '20 at 16:31
  • Once you have checked that there is in fact a rating available `if($rating -> rowCount() > 0) {` You have to fetch it from the database to know if its a 1 or a 2 or a 3.... – RiggsFolly Jul 14 '20 at 16:36
  • Also I am not sure why once you check that there is a rating `if($rating -> rowCount() > 0) {` you consider that condition is an error – RiggsFolly Jul 14 '20 at 16:39
  • Did you give up??? – AbraCadaver Jul 28 '20 at 21:50
  • No @AbraCadaver I tried a lot to fix..n did it :) – Debraz Jul 30 '20 at 08:39

1 Answers1

0

You define $rating here:

 $rating = filter_var(htmlentities($_POST['rating']),FILTER_SANITIZE_NUMBER_INT);

But then redefine $rating, which is the successful return of the prepare which is a statement object and is evaluated to 1:

$rating = $conn->prepare($query);

Also, get rid of all the filter_var and htmlentities crap and just use a prepared statement for the SELECT as well.

AbraCadaver
  • 78,200
  • 7
  • 66
  • 87