Solved

Session name into database...

Posted on 2013-12-03
6
194 Views
Last Modified: 2013-12-12
Hello all. . .

I have a login system.

I want the users to be able to click a curtain "radio" and then update the database with the users "username" (sessionname).

I use foreach to get both first and last name:
foreach($_SESSION as $key => $value) {
    echo  'Current session variable ' . $key . ' is: ' . $value . '<br />';
}

Open in new window


But if i use $value in a "radio", it will only take the first name and put it into the database:
<td><input type="radio" name ="ny_c10" value = $value ></td>

Open in new window


if(isset($_POST['ansat_kiosk_opdater'])){
$UpdateQuery = "UPDATE ansat_kiosk SET c8='$_POST[ny_c8]', c9='$_POST[ny_c9]', c10='$_POST[ny_c10]'  WHERE ID='$_POST[ID]'";
mysqli_query($link, $UpdateQuery);
};

Open in new window


How can i put both first and last name into the "c10"?
0
Comment
Question by:Mike Kristensen
  • 4
  • 2
6 Comments
 

Author Comment

by:Mike Kristensen
ID: 39694154
Oki seemed to fix this in another way......

Instead of "radio" i just made a "update" for each "input type=text", using a "submit".

if(isset($_POST['overtag_c12'])){
$UpdateQuery = "UPDATE ansat_kiosk SET c12='$value' WHERE ID='$_POST[ID]'";
mysqli_query($link, $UpdateQuery);
};

Open in new window


<td><input type="submit" name="overtag_c12" value="Overtag" /> </td>

Open in new window


This not just Works, it will also Work better..... Funny how you often figure Things out as soon you ask someone... (sometimes :))
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 39694178
This query is almost certain to get your data base destroyed some day

UPDATE ansat_kiosk SET c12='$value' WHERE ID='$_POST[ID]'

It is axiomatic that you must use valid PHP code and you must sanitize your variables before you use them in a query. These articles will help you understand why you want to use quotes around array index names and why you want to avoid using external variables in a query.

Quotes:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_12241-Quotation-Marks-in-PHP.html

See Antipractice #18
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_12293-AntiPHPatterns-and-AntiPHPractices.html

PHP Security and External Variables:
http://php.net/tut.php
http://php.net/manual/en/tutorial.forms.php
http://php.net/manual/en/language.variables.external.php
http://php.net/manual/en/security.php
0
 

Author Comment

by:Mike Kristensen
ID: 39698435
Global and external variables is that the same?

And where I found array index names? Im just not sure what you are talking about, and so its hard to understand what you are trying to tell me :P


UPDATE ansat_kiosk SET c12='$value' WHERE ID='$_POST[ID]'


Do you want me to use double quotes around $value? That is the only thing I seem to understand from your article that im missing?


And for you I explain how I understand it :D
single quotes does not allow more than 1 word? Also called substitution?
Double quotes allows substitution. Again this would be 2 words separated?

I can store a value with more words using single quotes, but i'm not allowed to use it with single quotes? (Still this seems to work, so I might not understand).
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 108

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 39698559
Maybe I assumed too much.  You probably want to step back from this specific application and take some time to get a foundation in how HTML, PHP, Databases work.  This article can help with that part of the background understanding.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_11769-And-by-the-way-I-am-new-to-PHP.html

I'll try to explain a bit more of this, but seeing the questions here it tells me that you would be much better off hiring a professional programmer.  It's going to take you too long to get this done by trial and error, and the resulting system is going to be riddled with security flaws.  Better safe than sorry!
Global and external variables is that the same?
These terms have different meanings, but they are related.  PHP global variables exist in every scope and namespace.
http://php.net/language.variables.scope.php

There is also the concept of super-global variables.  External request data from the HTML form is presented to the PHP script in $_GET or $_POST.
http://php.net/language.variables.superglobals.php
And where I found array index names?
There is a 1:1 relationship between the name= attribute in the HTML form input control and the array key in the superglobal request array.
http://php.net/manual/en/tutorial.forms.php

PHP array keys should be quoted.  This is wrong:
$_POST[ID]

Open in new window

and this is right:
$_POST['ID']

Open in new window

 The difference is explained here.  For better or worse, PHP has a very complicated and confusing way of dealing with quotes.  It requires great attention to detail.

HTML has rules about how to express information in forms.  This is wrong:
<td><input type="radio" name ="ny_c10" value = $value ></td>

Open in new window

This is right if you're inside a PHP HEREDOC block:
<td><input type="radio" name="ny_c10" value="$value" /></td>

Open in new window

This is right if you're not inside a HEREDOC, but instead are intermixing HTML with PHP:
<td><input type="radio" name="ny_c10" value="<?php echo $value;" /></td>

Open in new window

PHP has different meanings for single and double quotes.  Please read the article about quotes that I linked above.  Executive summary: Double quotes allow variable substitution inside the quote strings.

This statement is dangerous because it will send external data to the SQL engine without any checks on the content of the external data.  Consider what would happen to your data base if a hacker sent a POST request with ID=1 OR 1=1.  The query would match every row of the data base table.
UPDATE ansat_kiosk SET c12='$value' WHERE ID='$_POST[ID]'

Open in new window


A more sensible idea would be to cast the contents of $_POST['ID'] to be sure that it is an integer, and use a LIMIT clause to reduce the risk of wholesale damage.  PHP Example:
$id = (int)$_POST['id'];
$sql = "UPDATE ansat_kiosk SET c12='$value' WHERE ID=$id LIMIT 1";

Open in new window

I know there is a lot to learn here, and it takes time plus structured education and exercise.  Hopefully the "new to PHP" article can get you on the right path.  Best of luck with it, ~Ray
0
 

Author Closing Comment

by:Mike Kristensen
ID: 39714627
Be sure to understand the above before using it :=)
0
 

Author Comment

by:Mike Kristensen
ID: 39714628
Starter course PHP today.... Going to be great. :)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now