variable value gets lost [message #174451] |
Sun, 12 June 2011 19:13 |
Co
Messages: 75 Registered: May 2011
Karma: 0
|
Member |
|
|
Hi All,
I have a page with shows the profile of one of my users.
the id of the user is send to the page: profile.php?id=3
It is retrieved on the page by $id = $_GET['id'].
When I click a submit button on the page to add a message
to the user I lose his $id.
How can I preserve the value of $id to add the message to the user?
$sqlName = mysql_query("SELECT * FROM myMembers WHERE
id='$logOptions_id' LIMIT 1") or die ("Sorry we had a mysql error!");
while ($row = mysql_fetch_array($sqlName)) { $firstname =
$row["firstname"];$lastname = $row["lastname"];$username =
$row["username"];$userid = $row["id"];}
if ($userid != $id){
$query = mysql_query("SELECT * FROM profile_comments WHERE
profile_id='$uid' AND user_id='$userid' AND comment='$comment'");
$numrows = mysql_num_rows($query);
print $numrows;
if ($numrows == 0){
$commdate = date("d F Y"); // 08 October, 2010
print $commdate;
mysql_query("INSERT INTO profile_comments VALUES ('', '$uid',
'$userid', '$username', '$comment', '$commdate')");
Marco
|
|
|
Re: variable value gets lost [message #174452 is a reply to message #174451] |
Sun, 12 June 2011 19:43 |
Mathieu Maes
Messages: 5 Registered: May 2011
Karma: 0
|
Junior Member |
|
|
On 12 jun, 21:13, Co <vonclausow...@gmail.com> wrote:
> Hi All,
>
> I have a page with shows the profile of one of my users.
> the id of the user is send to the page: profile.php?id=3
> It is retrieved on the page by $id = $_GET['id'].
>
> When I click a submit button on the page to add a message
> to the user I lose his $id.
> How can I preserve the value of $id to add the message to the user?
>
> $sqlName = mysql_query("SELECT * FROM myMembers WHERE
> id='$logOptions_id' LIMIT 1") or die ("Sorry we had a mysql error!");
>
> while ($row = mysql_fetch_array($sqlName)) { $firstname =
> $row["firstname"];$lastname = $row["lastname"];$username =
> $row["username"];$userid = $row["id"];}
>
> if ($userid != $id){
> $query = mysql_query("SELECT * FROM profile_comments WHERE
> profile_id='$uid' AND user_id='$userid' AND comment='$comment'");
> $numrows = mysql_num_rows($query);
> print $numrows;
> if ($numrows == 0){
> $commdate = date("d F Y"); // 08 October, 2010
> print $commdate;
> mysql_query("INSERT INTO profile_comments VALUES ('', '$uid',
> '$userid', '$username', '$comment', '$commdate')");
>
> Marco
Hi Marco,
Since you haven't provided the HTML code from your form, I will assume
the following:
<form method="post" action="profile.php">
....
<input type="submit" />
</form>
Look at the first line where I provide the form "action". If you click
the submit button, the data will be sent to profile.php which does not
contain your user ID (?id=9000).
I guess the best solution is to add the user ID inside the form as a
hidden input:
<form>
<input type="hidden" name="id" value="<?php echo $id;?>" />
</form>
As a result, the User ID is being sent with your form, and can be read
as follows:
<?php
$id = $_POST['id']; //Assuming you're using POST method
?>
I should warn you that the ID is exposed to the user, which can be
manipulated. If there are certain security limitations (i.e. only be
able to post comments to a certain group of users), you must validate
$_POST['id'] to make sure the user is allowed to post using that ID!!
Kind regards,
Mathew
|
|
|
Re: variable value gets lost [message #174459 is a reply to message #174451] |
Sun, 12 June 2011 21:06 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 6/12/2011 3:13 PM, Co wrote:
> Hi All,
>
> I have a page with shows the profile of one of my users.
> the id of the user is send to the page: profile.php?id=3
> It is retrieved on the page by $id = $_GET['id'].
>
> When I click a submit button on the page to add a message
> to the user I lose his $id.
> How can I preserve the value of $id to add the message to the user?
>
> $sqlName = mysql_query("SELECT * FROM myMembers WHERE
> id='$logOptions_id' LIMIT 1") or die ("Sorry we had a mysql error!");
>
> while ($row = mysql_fetch_array($sqlName)) { $firstname =
> $row["firstname"];$lastname = $row["lastname"];$username =
> $row["username"];$userid = $row["id"];}
>
> if ($userid != $id){
> $query = mysql_query("SELECT * FROM profile_comments WHERE
> profile_id='$uid' AND user_id='$userid' AND comment='$comment'");
> $numrows = mysql_num_rows($query);
> print $numrows;
> if ($numrows == 0){
> $commdate = date("d F Y"); // 08 October, 2010
> print $commdate;
> mysql_query("INSERT INTO profile_comments VALUES ('', '$uid',
> '$userid', '$username', '$comment', '$commdate')");
>
> Marco
You do NOT want to pass the user's id in either the form or the URL. It
is so easy to hack and assume the id of another user it's not even funny.
Rather, pass it in the $_SESSION.
Also, anything you pass is in the URL is in the $_GET array. Variables
in your program are not automatically set (in a secure system, anyway).
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
Re: variable value gets lost [message #174462 is a reply to message #174459] |
Sun, 12 June 2011 21:17 |
Co
Messages: 75 Registered: May 2011
Karma: 0
|
Member |
|
|
On 12 jun, 23:06, Jerry Stuckle <jstuck...@attglobal.net> wrote:
> On 6/12/2011 3:13 PM, Co wrote:
>
>
>
>
>
>
>
>
>
>> Hi All,
>
>> I have a page with shows the profile of one of my users.
>> the id of the user is send to the page: profile.php?id=3
>> It is retrieved on the page by $id = $_GET['id'].
>
>> When I click a submit button on the page to add a message
>> to the user I lose his $id.
>> How can I preserve the value of $id to add the message to the user?
>
>> $sqlName = mysql_query("SELECT * FROM myMembers WHERE
>> id='$logOptions_id' LIMIT 1") or die ("Sorry we had a mysql error!");
>
>> while ($row = mysql_fetch_array($sqlName)) { $firstname =
>> $row["firstname"];$lastname = $row["lastname"];$username =
>> $row["username"];$userid = $row["id"];}
>
>> if ($userid != $id){
>> $query = mysql_query("SELECT * FROM profile_comments WHERE
>> profile_id='$uid' AND user_id='$userid' AND comment='$comment'");
>> $numrows = mysql_num_rows($query);
>> print $numrows;
>> if ($numrows == 0){
>> $commdate = date("d F Y"); // 08 October, 2010
>> print $commdate;
>> mysql_query("INSERT INTO profile_comments VALUES ('', '$uid',
>> '$userid', '$username', '$comment', '$commdate')");
>
>> Marco
>
> You do NOT want to pass the user's id in either the form or the URL. It
> is so easy to hack and assume the id of another user it's not even funny.
>
> Rather, pass it in the $_SESSION.
>
> Also, anything you pass is in the URL is in the $_GET array. Variables
> in your program are not automatically set (in a secure system, anyway).
>
> --
> ==================
> Remove the "x" from my email address
> Jerry Stuckle
> JDS Computer Training Corp.
> jstuck...@attglobal.net
> ==================
Jerry,
so instead of doing profle.php?id=3
I should put it in a $_session ?
what was the code for that again?
Marco
|
|
|
|
Re: variable value gets lost [message #174465 is a reply to message #174462] |
Mon, 13 June 2011 01:24 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 6/12/2011 5:17 PM, Co wrote:
> On 12 jun, 23:06, Jerry Stuckle<jstuck...@attglobal.net> wrote:
>> On 6/12/2011 3:13 PM, Co wrote:
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>> Hi All,
>>
>>> I have a page with shows the profile of one of my users.
>>> the id of the user is send to the page: profile.php?id=3
>>> It is retrieved on the page by $id = $_GET['id'].
>>
>>> When I click a submit button on the page to add a message
>>> to the user I lose his $id.
>>> How can I preserve the value of $id to add the message to the user?
>>
>>> $sqlName = mysql_query("SELECT * FROM myMembers WHERE
>>> id='$logOptions_id' LIMIT 1") or die ("Sorry we had a mysql error!");
>>
>>> while ($row = mysql_fetch_array($sqlName)) { $firstname =
>>> $row["firstname"];$lastname = $row["lastname"];$username =
>>> $row["username"];$userid = $row["id"];}
>>
>>> if ($userid != $id){
>>> $query = mysql_query("SELECT * FROM profile_comments WHERE
>>> profile_id='$uid' AND user_id='$userid' AND comment='$comment'");
>>> $numrows = mysql_num_rows($query);
>>> print $numrows;
>>> if ($numrows == 0){
>>> $commdate = date("d F Y"); // 08 October, 2010
>>> print $commdate;
>>> mysql_query("INSERT INTO profile_comments VALUES ('', '$uid',
>>> '$userid', '$username', '$comment', '$commdate')");
>>
>>> Marco
>>
>> You do NOT want to pass the user's id in either the form or the URL. It
>> is so easy to hack and assume the id of another user it's not even funny.
>>
>> Rather, pass it in the $_SESSION.
>>
>> Also, anything you pass is in the URL is in the $_GET array. Variables
>> in your program are not automatically set (in a secure system, anyway).
>>
>
> Jerry,
>
> so instead of doing profle.php?id=3
> I should put it in a $_session ?
> what was the code for that again?
>
> Marco
Try the manual. You can find it at http://www.php.net. There are
plenty of examples.
Don't expect people to write your code for you. If you're too lazy to
try to learn how to properly code in PHP (i.e. get books, read
tutorials, etc.), then hire someone to do it for you.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|