NO SQL INJECTION ERROR

63 views Asked by At

When I submit this form this error appears NO SQL INJECTION. The action of this form is the same file .. I tried to do a lot of solutions and nothing works! How can I escape that error? There is no change on the database.

Here is the php code

    <?php 
   include '../inc/config.php';
include 'dbc.php';
page_protect();

if(!checkAdmin()) {
header("Location: login.php");
exit();
}


$ads_id = (isset($_GET['id']) ? $_GET['id'] : NULL);
if (!is_numeric($ads_id)) { die ('No SQL INJECTION') ;};
if ($ads_id) {
   $img_ads_info = $mysqli->query("SELECT * FROM `ads_image` WHERE `id` = '$ads_id'");
   $row = $img_ads_info->fetch_object();
$section_id = $row->user_id;
    $ads2 = $mysqli->query("SELECT users.company_name FROM ads_image,users where 
ads_image.user_id = users.id AND ads_image.user_id='$section_id'");
    $row2 = $ads2->fetch_object();


?>   
            <div class="panel panel-default ">
                <div class="panel-heading" id="accordion"><span class="glyphicon 
 glyphicon-comment"></span><?php echo $row->description; ?></div>

                <div class="panel-body">
<form role="form" action="manage_images_ads.php" method="POST">
                            <div class="form-group">
                            <input type="hidden" name="id" value="<?php echo $row->id; 
 ?>" />
                                <label>اسم المؤسسة المعلنة</label>
                                <input required name="company_name" class="form-
 control" type="text" maxlength="255" value="<?php echo $row2->company_name; ?>"/> 
                            </div>
                            <div class="form-group">
                                <label>عنوان الإعلان</label>
                                <input required name="title" class="form-control" 
 type="text" maxlength="255" value="<?php echo $row->title; ?>"/> 
                            </div>                          
                            <div class="form-group">
                                <label>صورة الإعلان</label>
                                <img src="upload/<?php echo $row->up; ?>" /> 
                            </div>
                            <div class="form-group">
                                <label>عدد المشاهدات</label>
                                <input required name="views" class="form-control" 
type="text" maxlength="255" value="<?php echo $row->views; ?>"/> 
                            </div>
                            <div class="form-group">
                                <label>رابط الإعلان</label>
                                <input required name="ad_link" class="form-control" 
type="text" maxlength="255" value="<?php echo $row->ad_link; ?>"/> 
                            </div>




                            <button style="float:left" type="submit" 
value="submit" class="btn btn-success btn-md" id="btn-chat">Send</button>

                            </div>
                        </form>         




<?php
if(isset($_POST['submit'])) {
$title = $mysqli->real_escape_string($_POST['title']);
$ad_link = $mysqli->real_escape_string($_POST['ad_link']);
$views = $mysqli->real_escape_string($_POST['views']);


if ($mysqli->connect_error) {
    die("Connection failed: " . $mysqli->connect_error);
}

$sql = "UPDATE ads_image SET `title`='$title',`ad_link`='$ad_link',`views`='$views'
WHERE `id`='$ads_id'";

if ($mysqli->query($sql) === TRUE) {
   echo "Record updated successfully";
 } else {
   echo "Error updating record: " . $mysqli->error;
 }



 $mysqli->close();
}
}
?>
1

There are 1 answers

0
user2655603 On

The reason is that your form has 'method="POST"' while php is looking for id in the $_GET superarray. Just change

$ads_id = (isset($_GET['id']) ? $_GET['id'] : NULL);

to

$ads_id = (isset($_POST['id']) ? $_POST['id'] : NULL);

and it should start work properly.