0

I know you can get the URL parameters by using if(isset($_GET['id'])){ $id = $_GET['id']; and this works great, if I then close that 'if' statement and create a new one for the update/append-entry form on this same page (its the display page for each ind. database entry), I can't get the id that's been passed to the URL in this next if statement.

It is the if-statement that submits a new row ("condition") to my child table ("conditions") that has a foreign key that connects it to the parent table of health providers (the display page gets the provider's id from the search engine selection and displays their information, then has this "append entry" form at the bottom if someone wants to add a new health condition treated by this doctor.)

Everything works if I give it the right id number directly in my PHP ($id = 56), but not if I try to grab it from the URL INSIDE this second if statement ($id = $_GET['id'];). 

if (isset($_GET['providerid']))
{
$providerid = $_GET['providerid'];  /*THIS WORKS GREAT*/

$sql = "SELECT *, GROUP_CONCAT(DISTINCT conditions.condition_name 
SEPARATOR ', ') AS all_conditions FROM `providers` INNER JOIN 
`conditions` ON `providers`.`id` = `conditions`.`prov_id` WHERE 
`prov_id`= $providerid";

$data = mysqli_query($connection, $sql) or die('error');

if(mysqli_num_rows($data) > 0){
  $numresults = mysqli_num_rows($data);

    while($row = mysqli_fetch_assoc($data)){
    $providerid = $row['id'];
    $providerfirstname = $row['provider_first_name'];
    /*etc....*/
    $conditions = $row['all_conditions'];

/*table displays provider info:*/
     echo "<br><h1>".$providerfirstname." ".$providerlastname." 
 </h1>";
     echo '<TABLE id="myTable" width="350px" border="1">';
           //etc....(cutting out details)
     echo '<tr><td><div id="myTable"><a href="#" id="addNew">Add+ . 
  </a></div></td><td><b>Conditions Treated:</b></td> . 
 <td>'.$conditions.'</td></tr>';

/*If user wants to add a new condition treated by provider that's 
not listed:*/
     echo '<tr><td></td><td>Add a new condition:</td><td><form 
action="profilebackup.php" method="POST"><input type="text" 
size="40" name="newcond" value="" placeholder="Add a Condition" /> . 
<input type="submit" name="add1" value="Add"><br></td></tr>';

            }
     echo '</TABLE>';

    }
   else {
        echo "0 results";
   }
}

/*sends added conditions to child table, EVERYTHING WORKS EXCEPT 
GETTING ID (WHICH WORKED ABOVE):*/

if(isset($_POST['add1'])){
  $providerid = $_GET['providerid'];
  $condition = mysqli_real_escape_string($connection, 
$_POST['condition']);


$insql = "INSERT INTO `conditions` (condition_name, prov_id) VALUES 
('$condition','$providerid')";

    if(mysqli_query($connection, $insql)){
      echo "Thank you! Your provider has successfully been submitted 
      to the database!";
     }
     else {
       echo "Sorry, there was an problem submitting your provider to 
       the database." . $insql . mysqli_error($connection);
      }
    }

Everything works EXCEPT the GET function in the second if-statement. It returns error code that it does not have the correct foreign key constraint: "Cannot add or update a child row: a foreign key constraint fails" because it's not grabbing the id.

mb9393
  • 23
  • 5
  • You're mixing `GET` and `POST` data in your 2 if statements. Is this intentional? Make sure `providerid` is in the URL even if you're submitting a POST request otherwise you won't have access to it. – waterloomatt Jul 06 '19 at 02:54
  • Parameterize your query and use error reporting. This is open to SQL injections as is. You also never use `$numresults` so might as well remove that line. – user3783243 Jul 06 '19 at 02:59
  • 1
    No offence, but this code is a mess and is overly complicated. You're breaking all the rules here: SQL injection, mixing HTML + PHP + SQL, badly named variables, malformed HTML, no error reporting. – waterloomatt Jul 06 '19 at 03:00
  • The POST is used for the submission form to append the provider information, which adds to the child table, I used POST here because I think it's more secure. I still used GET for the URL parameter. But I've tried both POST and GET for the submission form and neither works. Providerid is definitely showing up in the URL. – mb9393 Jul 06 '19 at 03:01
  • `Providerid is definitely showing up in the URL` - not when you submit that form. That's the issue. – waterloomatt Jul 06 '19 at 03:14
  • Oh yes, you're right. The answer below about changing the form I believe is the answer, trying to get it all correct. You're probably right that my code is a mess, I'm making everything up as I go, literally started learning code two months ago. I know I need to make it more secure...can I just escape them or do I have to use PDO? – mb9393 Jul 06 '19 at 03:25
  • You can stick with the mysqli API or switch over to PDO... both are suitable. Look into parameterized queries. And no worries about the mess... we all started there. Once you feel like you're ready for the next step, look into a framework. It'll help you reach the next level. – waterloomatt Jul 06 '19 at 03:44
  • Final tip - turn on error reporting! https://stackoverflow.com/questions/1053424/how-do-i-get-php-errors-to-display. – waterloomatt Jul 06 '19 at 03:46

2 Answers2

0

You are submitting a form via post to profilebackup.php but the handler for this form is trying to get the providerid. You need to send the providerid as a query string in the form's action if you want to be able to access it via $_GET. 

<form method="post" action="profilebackup.php?providerid=<?php echo $providerid; ?>" ...

The proper way to do this would be to include a hidden input in the form and then access it via $_POST consistently.

<form method="post" action="profilebackup.php">
    <input type="hidden" name="providerid" value="<?php echo $providerid; ?>">
    ...
</form>

And the handler code.

<?php
...

// Notice that now you can use $_POST consistently.
if (isset($_POST['add1'])) {
    $providerid = $_POST['providerid'];
    ...
waterloomatt
  • 3,134
  • 1
  • 16
  • 21
  • This worked!! Thank you! I didn't know about hidden fields, and I didn't realize how these GET statements work...kind of a rookie. Thanks this has been driving me insane! – mb9393 Jul 06 '19 at 03:42
0

The problem lines in $sql statement where it take variable $providerid as string, not a php variable. $_GET works fine even if sending a different protocals such as POST, PUT, DELETE,... Something like this should work as expected: 

$sql = "SELECT *, GROUP_CONCAT(DISTINCT conditions.condition_name 
SEPARATOR ', ') AS all_conditions FROM `providers` INNER JOIN 
`conditions` ON `providers`.`id` = `conditions`.`prov_id` WHERE 
`prov_id`= " . $providerid ;
Lam Nguyen
  • 128
  • 1
  • 8