Using Username of Logged in User as Author of new Database Entries

[SokrMan]

Im trying to create a website where users login, and then when they add a new entry to the database there name is put as the author. This is how my tables are set up. One table is named job and has the columns id, jobtext, jobdate, and authorid. Another table is called author. This table contains the columns id, username, password, and name. Authorid from the job table matches with id from the author table. When a user logins in this code is used to register the name...

session_start();
$_SESSION['myusername'] = $_POST['myusername'];
$_SESSION['mypassword'] = $_POST['mypassword'];
header("location: index.php");
}
else {
echo "Wrong Username or Password";
}

 

This is the form users use to add a new entry...

if (isset($_GET['add']))
{
$pagetitle = 'New Job';
$action = 'addform';
$text = '';
$authorid = '';
$id = '';
$button = 'Add job';

include $_SERVER['DOCUMENT_ROOT'] . '/jobs/includes/db.inc.php';

// Build the list of authors
$sql = "SELECT id, name FROM author";
$result = mysqli_query($link, $sql);
if (!$result)
{
	$error = 'Error fetching list of authors.';
	include 'error.html.php';
	exit();
}

while ($row = mysqli_fetch_array($result))
{
	$authors[] = array('id' => $row['id'], 'name' => $row['name']);
}

// Build the list of categories
$sql = "SELECT id, name FROM category";
$result = mysqli_query($link, $sql);
if (!$result)
{
	$error = 'Error fetching list of categories.';
	include 'error.html.php';
	exit();
}

while ($row = mysqli_fetch_array($result))
{
	$categories[] = array(
			'id' => $row['id'],
			'name' => $row['name'],
			'selected' => FALSE);
}

include 'form.html.php';
exit();
}

if (isset($_GET['addform']))
{
include $_SERVER['DOCUMENT_ROOT'] . '/includes/db.inc.php';

$text = mysqli_real_escape_string($link, $_POST['text']);
$author = mysqli_real_escape_string($link, $_POST['author']);

if ($author == '')
{
	$error = 'You must choose an author for this job.
			Click ‘back’ and try again.';
	include 'error.html.php';
	exit();
}

$sql = "INSERT INTO job SET
		jobtext='$text',
		jobdate=CURDATE(),
		authorid='$author'";
if (!mysqli_query($link, $sql))
{
	$error = 'Error adding submitted job.';
	include 'error.html.php';
	exit();
}

$jobid = mysqli_insert_id($link);

if (isset($_POST['categories']))
{
	foreach ($_POST['categories'] as $category)
	{
		$categoryid = mysqli_real_escape_string($link, $category);
		$sql = "INSERT INTO jobcategory SET
				jobid='$jobid',
				categoryid='$categoryid'";
		if (!mysqli_query($link, $sql))
		{
			$error = 'Error inserting job into selected category.';
			include 'error.html.php';
			exit();
		}
	}
}

header('Location: .');
exit();
}

 

Form.html.php =

<?php include_once $_SERVER['DOCUMENT_ROOT'] .
	'/includes/helpers.inc.php'; ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
	"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
	<title><?php htmlout($pagetitle); ?></title>
	<meta http-equiv="content-type"
			content="text/html; charset=utf-8"/>
	<style type="text/css">
	textarea {
		display: block;
		width: 100%;
	}
	</style>
</head>
<body>
<?php session_start(); ?>

	<h1><?php htmlout($pagetitle); ?></h1>
	<form action="?<?php htmlout($action); ?>" method="post">
		<div>
			<label for="text">Type your job here:</label>
			<textarea id="text" name="text" rows="3" cols="40"><?php
					htmlout($text); ?></textarea>
		</div>
		<div>
			<label for="author">Author:</label>
			<select name="author" id="author">
				<option value="">Select one</option>
				<?php foreach ($authors as $author):?>
					<option value="<?php htmlout($author['id']); ?>"<?php
							if ($author['id'] == $authorid)
								echo ' selected="selected"';
							?>><?php htmlout($author['name']); ?></option>
				<?php endforeach; ?>
			</select>
		</div>
		<fieldset>
			<legend>Categories:</legend>
			<?php foreach ($categories as $category): ?>
				<div><label for="category<?php htmlout($category['id']);
						?>"><input type="checkbox" name="categories[]"
						id="category<?php htmlout($category['id']); ?>"
						value="<?php htmlout($category['id']); ?>"<?php
						if ($category['selected'])
						{
							echo ' checked="checked"';
						}
						?>/><?php htmlout($category['name']); ?></label></div>
			<?php endforeach; ?>
		</fieldset>
		<div>
			<input type="hidden" name="id" value="<?php
					htmlout($id); ?>"/>
			<input type="submit" value="<?php htmlout($button); ?>"/>
		</div>
	</form>
</body>
</html>

 

Right now, under authors, it displays all the authors in the database. I want it to just show/submit the authorid of the logged in user.

 

[DavidAM]

First, do NOT store the user's password in the session.  Your application should not need it, and if it does it should get it from the database.  Session data is stored in a file and is NOT secure.

 

I usually store the user's ID in the session as well. Then when you insert a record, you can just pull the ID from the session instead of the form.

[SokrMan]

Okay sounds good about the password! But HOW do I pull the ID from the session when inserting the record? Im a PHP beginner.

[DavidAM]

When a user TRIES to log in, you should be checking the database to see if the username and password are valid:

SELECT id FROM users WHERE username='username' AND password='password'

 

Then you store the ID in the session (like you did with the username and password before).

$_SESSION['id'] = $row['id'];

 

Then when you insert the data you pull it from the session:

INSERT INTO jobs ( ... , authorid) VALUES(... , $_SESSION['id'])

 

That's all psuedo code, do not cut and paste to your script, it will not run.

 

[SokrMan]

So whats the real code? And which page does it go into..?