0

I'm trying to make a bidding website and was writing a script which first shows the table of the product selected by the user, then allows them to put in their bidding amount. If the bidding value is less than the current bid, it goes back to the home page, or else it updates it.

The problem is that when the user presses the submit button and the isset function is called, the previous $amount and $id variables are no longer accessible and the SQL query does not run. This is probably due to the case that the above statements are executed again without the $_GET parameter receiving anything. Is there any way to change the scope of the variables or program execution so that they can be used in the POST function.

I tried printing the variables out but it was only giving me blankspace on doing the same.

My code for the same is as follows:

$db = mysqli_connect("localhost","root","","users");
$id = $_GET['id'];
$query = mysqli_query($db,"Select * from bid_items where product_id='$id'");
$array = mysqli_fetch_array($query);

$table_str = '<table id="product table"><tr>
<th>Item ID</th><th>Owner Name</th><th>Item Name</th><th>Closing date</th><th>Bid amount</th><th>Status</th><th>Bid</th><th>History</th></tr>';
$amount = $array["bid_amount"];

$table_str .= '<tr>';
$table_str .= '<td>'.$id.'</td><td>'.$array["owner_name"].'</td><td>'.$array["item_name"].'</td><td>'.$array["closing_date"].'</td><td>'.$amount.'</td><td>Open</td>'."<td><a href='add_bid.php?id={$array['product_id']}'>BID</a></td>".'</td><td>'.'<input type="submit" class="hist" value="history">'.'</td>';
$table_str .= '</tr>';

$table_str.='</table>';
echo $table_str;

if(isset($_POST['place_bid']))
{
  $bid_val = mysqli_real_escape_string($db, $_POST['bid_amt']);
  if($amount<$bid_val)
  {
    $db = mysqli_connect("localhost","root","","users");
    $query = mysqli_query($db,"UPDATE bid_items set bid_amount='$bid_val' where product_id='$id'");
    $result = mysqli_query($db,$sql1);
    if($result)
    {
      header("Location:bidding.php");
    }
  }
  else {
    echo '<script>alert("Your bid amount is lesser than the current bid value")</script>';
    header("Location:bidding.php");
  }
}
?>
Naman Sood
  • 17
  • 1
  • 5
  • Your system is wide open for [SQL injection](https://stackoverflow.com/questions/601300/what-is-sql-injection) – DarkBee Oct 20 '20 at 09:12
  • If you want variables to persist in PHP you'll need to store them somewhere. Probably `$_SESSION` is the way to go for your scenario – DarkBee Oct 20 '20 at 09:13
  • Why not add the missing values to the form, or to the URL? – Nico Haase Oct 20 '20 at 09:14
  • Does this answer your question? [Variable persistence in PHP](https://stackoverflow.com/questions/1150944/variable-persistence-in-php) – Nico Haase Oct 20 '20 at 09:15
  • Currently security is not a major concern for me, I'll try working with hidden input fields. Will using Session here run my code from the start of the php script or only inside the ISSET function ? – Naman Sood Oct 20 '20 at 09:22

0 Answers0