inserting id into another table as a foreign id: how?..

[peppericious]

I want to allow users to post entries to a NEWS table and, if they wish, to post an accompanying image to an IMAGES table.

Tables are like this:

 

NEWS

id  // if there'll be an accompanying image, this id to be sent to IMAGES table

title

subtitle

created

news_entry

category

 

IMAGES

image_id

f_news_id // the foreign id of the associated post in NEWS table

filename

caption

description

 

So, the user comes to the insert_entry.php page and creates a post. If the user clicks an "Upload accompanying image" link, the news post id must be inserted in the f_news_id field when the image is uploaded.

 

Code excerpt from insert_entry.php:

// Insert the news_entry in the database...
	// Make the query:
	$q = "INSERT INTO
			news (title, subtitle, news_entry, category)
			VALUES ('$title', '$subtitle', '$news_entry', '$category')
			";		
	$r = @mysqli_query ($dbc, $q); // Run the query.
	if ($r) { // If it ran OK.		
		// Print a message:
		echo "<h1>Thank you!</h1>
		<p>You have successfully inserted the News Entry below.</p>";
		echo "<h1>" . stripslashes($title) . "</h1><h2>" . stripslashes($subtitle) . "</h2><p>" . stripslashes($news_entry) . "</p>";

	// get id of record just created
	$q = "SELECT id FROM news ORDER BY created DESC LIMIT 1";
	$r = mysqli_query($dbc, $q);
	while ($row = mysqli_fetch_assoc($r)) {
		// pass the id via GET in the URL
		echo "<a href='upload_image.php?=" . $row['id'] . "'>Upload image</a>";	
	}							
			mysqli_close($dbc);		
			?>

   

 

Code excerpt from upload_image.php:

// insert news post id into images table if user came via insert_entry.php page
	// Make the query:
		require_once ('includes/mysqli_connect.php'); // Connect to the db.
		$description = mysqli_real_escape_string($dbc, trim($_POST['description']));
		$caption = mysqli_real_escape_string($dbc, trim($_POST['caption']));
			if (isset($_GET['id'])) { // if there's a NEWS post id
			$q = "INSERT INTO
					images (f_news_id, filename, caption, description)
					VALUES ('$_GET['id']', '{$_FILES['upload']['name']}', '$caption', '$description')";
					} 
					else 
					{ // if user arrived at upload_image.php otherwise and there's *not* a NEWS post id
					$q = "INSERT INTO
					images (filename, caption, description)
					VALUES ('{$_FILES['upload']['name']}', '$caption', '$description')
					";
					}		
			$r = @mysqli_query ($dbc, $q); // Run the query.
			if ($r) { // If it ran OK.

		// Print a message:
			echo "<p>Info entered in images table.</p>";

 

Am I going about this the wrong way? Am new to php... so any advice much appreciated...

[Pikachu2000]

You can (and should) replace all of this:

// get id of record just created
	$q = "SELECT id FROM news ORDER BY created DESC LIMIT 1";
	$r = mysqli_query($dbc, $q);
	while ($row = mysqli_fetch_assoc($r)) {
		// pass the id via GET in the URL
		echo "<a href='upload_image.php?=" . $row['id'] . "'>Upload image</a>";	
	}							

 

With this:

$id = mysql_insert_id();
echo "<a href=\"upload_image.php?=$id\">Upload image</a>";

 

Also, why are you using stripslashes() on data retrieved from the database? If it has slashes in it that need to be removed, then the problem is occurring when the data is inserted. There should be no extra slashes when the data is retrieved if it's been escaped properly.

[peppericious]

Great, will try that.

 

I escaped all data before insertion in the db but then inserted the TinyMCE editor in the insert_entry.php page to allow user to do some formatting. After doing that, retrieved data contained slashes... so I added stripslashes() to eliminate them.

 

Any thoughts on that?..

[Pikachu2000]

I've never used TinyMCE, but I'll see if I can find anything about why it does that.

[Pikachu2000]

Before I get too deep into TinyMCE, are you sure that magic_quotes_gpc() is off?

[peppericious]

Oops.. it's on. (Am testing on local environment with MAMP.) I guess I need to modify php.ini and turn it off?.. As you can tell, I'm not up to speed on it...

 

So, I turn it off and remove the stripslashes for the retrieved data and everything will be ok?..

[Pikachu2000]

Yes, you should set magic_quotes_gpc() = Off in the php.ini file. Since it's a devel server, are you able to just truncate the tables and repopulate them, or do you need to fix the data that's already there?

[peppericious]

Yes, I can truncate the tables. No critical data in there at all.

 

However, I can't find magic_quotes_gpc() in the php.ini file... (There's a magic_quotes_sybase = Off setting, but not magic_quotes_gpc().)

 

The file I thought I needed to edit was in MAMP > conf > php5.3.

 

Am I looking in the right place?

 

Thx.

[Pikachu2000]

You can find out which file is being used by looking at the result of phpinfo(); then edit it accordingly. Mine resides in /Applications/MAMP/conf/php5, but yours may not if it's a different version.

[peppericious]

You can find out which file is being used by looking at the result of phpinfo(); then edit it accordingly. Mine resides in /Applications/MAMP/conf/php5, but yours may not if it's a different version.

 

phpinfo(); says it's exactly in the same location as on your drive... and that's the file I've opened for editing... but can find no reference in the file whatever to magic_quotes_gpc()... I think I may be going crazy...

[Pikachu2000]

Does it show up as On when you run the phpinfo()? If it does, and there's no entry for it in the php.ini file, just add it to the file and restart Apache.

 

magic_quotes_gpc = Off

[DavidAM]

You also need to turn off magic_quotes_runtime

 

There are three magic_quotes settings:

[*]magic_quotes_gpc - Affects the super globals: GET, POST, COOKIES, ENV

[*]magic_quotes_runtime - Affects most functions the "return data from any sort of external source including databases and text files"

[*]magic_quotes_sybase - Affects how the above settings behave, as well as stripslashes() and addslashes

 

See the manual for magic_quotes_runtime

 

Basically, these should all be OFF

[peppericious]

Thanks Pikachu2000 and DavidAM. I'll make those changes, as you suggest to php.ini.

 

Back to my original post though, for a moment...

I couldn't pass the news post id from the insert_entry.php page to the upload_image.php page via GET in the url as I planned. The script seemed to run normally but the id didn't update in the images table. I also tried echoing the id after passing it via GET to upload_image.php but nothing echoed out.

 

I did succeed in entering the id into f_news_id by using a session variable, however. But I still can't figure out why GET didn't work... Using GET would be the logical route to take in this situation, wouldn't it?…

[DavidAM]

Actually, while you should be able to pass it in GET, using a SESSION variable is more secure. Accepting it through GET, or even POST (as a hidden field) is not safe. The user can easily modify the form and send a different ID which would either cause your database INSERT/UPDATE to fail, or even worse, succeed but associate the image with the wrong news item.

[peppericious]

Actually, while you should be able to pass it in GET, using a SESSION variable is more secure. Accepting it through GET, or even POST (as a hidden field) is not safe. The user can easily modify the form and send a different ID which would either cause your database INSERT/UPDATE to fail, or even worse, succeed but associate the image with the wrong news item.

 

That's very helpful, thanks. Given the ease of working with session variables, I ask myself what advantage can be gained from using GET, or hidden POST variables?..

[DavidAM]

GET and POST are useful when the user is sending you data. But when you want to pass data from one script to another, or maintain a value between outputting the form and receiving the POST, SESSION variables are the way to go.

 

Hidden form fields do have their uses. I place a hidden field  on each form with a value from uniqid() (with a little obfuscation), and store the value in a session variable. If I receive a form without this id or with an id different from the session value, then someone is not playing nice, and I kick the post back.

 

I cringe whenever I read a post here of someone who is storing the price of the product they are selling in a hidden field so they can have it on the POST. A determined user could easily change the price and buy the item cheaper if the script does not verify the price on POST. (Maybe "determined" is not the right word here. It would take less than 60 seconds to do it and very little effort).

[peppericious]

Very, very useful info and much appreciated.

 

I didn't know of the existence of this site until just a couple of weeks ago and have learned *so* much. Only thing is, I now need to find some way of treating my newly-acquired php addiction..