how can i save a js variable in a php table?-CodePudding

after calculating the grade of a quiz in a js file i'm trying to take that variable to update the grade, of that particular student in a php file.

the script is executed in the user area where the user id is set.

errors: The indicated user is not updated, probably the variable doesn't arrive or php is not set up properly;

to transport the grade variable from js to the php file i used this code which is executed at the end of the quiz

quiz.js

var vote = userScore * 10;

window.open('/php/vote.php?vote=' vote);

private-area.php

<?php
    require 'php/config.php';

    $_SESSION["id_utente"];

    $sessionId = $_SESSION["id_utente"];
    
    $user = mysqli_fetch_assoc(mysqli_query($connessione, "SELECT * FROM utenti WHERE id_utente = $sessionId"));
?>

vote.php (first time i update)

<?php

require_once('config.php');

$var_voto = $_GET['vote'];


if($connessione->connect_error){
    echo "Registrazione avvenuta con successo";

    $query = $connessione->prepare("UPDATE utenti SET voto = $var_voto  WHERE id = $user ");
    $query->bind_param('voto', $id);
    $result = $query->execute();

}else{
    echo "Error";
}


?>

CodePudding user response：

You can use bindParam like below

$query = $connessione->prepare("UPDATE utenti SET voto = :var_voto WHERE id = :user ");

$query->bindParam(':var_voto',$var_voto);

$query->bindParam(':user', $user );

CodePudding user response：

Your mysql appears incorrect. You shouldn't be using variables inside SQL queries, certainly not with prepared statements to avoid any SQL injection.

Try

$query = $connessione->prepare("UPDATE utenti SET voto = ? WHERE id = ?");
$query->bind_param('ii', $var_voto, $user);
$result = $query->execute();

This is assuming that voto and id in your database are integer types. If they are strings/varchar replace ii with ss in bind_param.

By way of an explanation, use ? to specify parameterised data inside your prepared query and bind them with the data using bind_param. The first argument is the data type, we're using i for integers in the above code, and two of them (i.e. ii) because we're binding two parameters ($var_voto and $user) See https://www.php.net/manual/en/mysqli-stmt.bind-param.php for more. The second, third, forth, fifth etc argument are the variables containing the data we wish to insert (or bind) to the query.