php - Insert username pulled from table into another table -


this driving me nuts, learning php , problem has got me day. pulling info users database file , using in form insert table.

i want users id , username, tried $userid = $_get['id']; works great not when trying $username = $_get['username']. form echoing user id url, why id?

if echo username works, little stumped. guess if echoed username url work , id not, don't want echo username or both honest unless have too.

<?php ini_set('display_errors',1); error_reporting(e_all);  include_once '../includes/conn.php';  if(!$user->is_loggedin()){     $user->redirect('../users/login.php'); }   $stmt = $conn->prepare("select id, username users"); $stmt->execute();  $userrow=$stmt->fetch(pdo::fetch_assoc);  $userid = $_get['id']; $username = $_get['username'];  if(isset($_post['submit'])){     $category = trim($_post['category']);     $points = trim($_post['points']);     $reason = trim($_post['reason']);       if($category==""){         $error[] = "select category.";      }else if($points==""){         $error[] = "provide points.";      }else if($reason==""){         $error[] = "provide reason.";     }else if(strlen($reason) < 6){         $error[] = "reason must @ least 6 characters<br /><br />";      }else{         try{             $sql = "insert infractions(userid,username,category,points,reason)values(?,?,?,?,?)";             $stmt = $conn->prepare($sql);             $stmt->execute(array($userid, $username, $category, $points, $reason));     }     catch(pdoexception $e){         echo $e->getmessage();         }     }   } ?> <!doctype html> <html lang="en">     <head>     <title>epicowl uk | cms users add infraction</title>     <meta charset="utf-8">     <link rel="shortcut icon" href="../images/favicon.ico" type="image/x-icon" />     <link rel="stylesheet" type="text/css" href="../css/main.css"> </head> <body> <div id="header">     <a href="index.php"><img id="logo" src="../images/logo.png" /></a>     <div id="navigation">         <ul>             <a href="../index.php"><li>home</li></a>             <a href="../users/profile.php"><li>my profile</li></a>             <a href="./index.php"><li>admin panel</li></a>         </ul>     </div> </div> <div id="content"> <form method="$_post"><br />     <h2>give <?php echo ($userrow['username']); ?> infraction</h2>     <label><strong>category:</strong></label><br />     <select name="category">         <option value="select category">select category</option>         <option value="language used">language used</option>         <option value="breaking rules">breaking rules</option>         <option value="double posting">double posting</option>     </select><br /><br />     <label><strong>number of points award:</strong></label><br />     <input type="text" name="points" maxlength="50" /><br /><br />     <label><strong>reason:</strong><label><br />     <textarea name="reason" rows="13" cols="60" maxlength="255"></textarea><br /><br />     <button type="submit" name="submit">add infraction</button><br /><br /><br /> </form> </div> <div id="footer">     <p class="copyright">&copy; epicowl uk. rights reserved.</p> </div> </body> </html>

it looks mixing prepared statements , queries. query should have placeholders values inserted php driver.

here 1 approach..

$sql = "insert infractions(userid,username,category,points,reason)values(?,?,?,?,?)"; $stmt = $conn->prepare($sql); $stmt->execute(array($userid, $username, $category, $points, $reason));

here's second way...

$sql = ("insert infractions(userid,username,category,points,reason)values(:userid, :username, :category, :points, :reason)"); $stmt = $conn->prepare($sql); $stmt->execute(array(':category'=>$category, ':points'=>$points, ':reason'=>$reason, ':userid' => $userid, ':username'=> $username));

and third approach

$sql = ("insert infractions(userid,username,category,points,reason)values(:userid, :username, :category, :points, :reason)"); $stmt = $conn->prepare($sql); $stmt->bindparam(":category", $category); $stmt->bindparam(":points", $points); $stmt->bindparam(":reason", $reason); $stmt->bindparam(":userid", $userid); $stmt->bindparam(":username", $username); $stmt->execute();

i use bindings less might issues there believe correct usages.

here's php manual on it, http://php.net/manual/en/pdo.prepared-statements.php.

the reason prepared statements separate out user provided data sql. without separation can run sql injections, or failed queries example if mr. o'brien tried create account/login.

sql injection attacks type of injection attack, in sql commands injected data-plane input in order effect execution of predefined sql commands.

https://www.owasp.org/index.php/sql_injection

and thread goes ways of preventing this

how can prevent sql injection in php?

the method attribute of form element tells form how data should transmitted. values post or get. seem mixing these in php well.

https://developer.mozilla.org/en-us/docs/web/html/element/form

post: corresponds http post method ; form data included in body of form , sent server.

get: corresponds http method; form data appended action attribute uri '?' separator, , resulting uri sent server. use method when form has no side-effects , contains ascii characters.

php usages:
http://php.net/manual/en/reserved.variables.get.php
http://php.net/manual/en/reserved.variables.post.php


Comments

Post a Comment

Popular posts from this blog

How to provide Authorization & Authentication using Asp.net, C#? -

Image
i have asp.net application in c#. i have provide page authorization specific user/usergroup. i have created 2 tables in database: 1) pagename 2)permissions[insert, update, view, delete] but i'm unable match tables , permissions assigning... can 1 please me, how created tables in database , how coding. please me. you can below explanation. configure access specific file , folder, set forms-based authentication. request page in application redirected logon.aspx automatically. in web.config file, type or paste following code. this code grants users access default1.aspx page , subdir1 folder . <configuration> <system.web> <authentication mode="forms" > <forms loginurl="login.aspx" name=".aspnetauth" protection="none" path="/" timeout="20" > </forms> </authentication> <!-- section denies access files in...
Read more

toolbar - How to add link to user registration inside toobar in admin joomla 3 custom component -

im trying write component admin side , need add user creation. dont want duplicate existing codes add link. know how add task not simple link toolbar. thx help. if wanting button opens new user screen can try in component: $bar = jtoolbar::getinstance('toolbar'); $bar->appendbutton('link', 'users', 'new user','index.php?option=com_users&task=user.add'); you need add view.html.php file wherever you're creating toolbar. is need?
Read more

How to use Authorization & Authentication in Asp.net, C#? -

i using roll management , trying give page , folder access according user or user group, using server created ad group user authentication. i have default1.aspx page default , subdir1 folder give different access separate user group i using below logic in web.config. <location path="subdir1"> <system.web> <authorization> <allow users ="?" /> </authorization> </system.web> </location> i facing problem provide same access 2 or more directory same user should have provide allow user code twice both folder? i can use logic repeating value folder want access providing in 1 logic. i have got answer configure folder/page access, have make different access shown below.. configure access specific file , folder, set forms-based authentication. request page in application redirected logon.aspx automatically. in web.config file, done following code. this code grants user...
Read more