Jump to content

Problem using $_SESSION

rocky48

By rocky48
in PHP Coding Help

 Share
Go to solution Solved by rocky48,

Recommended Posts

rocky48 Advanced Member

rocky48

Posted
Posted

I have written a script that queries a MYSQL database and the query is output as a table.

In this table I have managed to add a 'Radio' button to each row of the table.

When I submit I want the value stored for use in a later script.

I have been avised that the best way to do this is using $_SESSION.

Here is the script that outputs the query:

<?php
include("Loc_cverse_connect.php");
doDB();
Session_start();

//verify the Event exists
$verify_Event_sql = "SELECT ID, Event_Type FROM Events WHERE ID = '".$_POST["Event_Type"]."'";
$verify_Event_res =  mysqli_query($mysqli, $verify_Event_sql) or die(mysqli_error($mysqli));

//echo  $_POST["Event_Type"];

if (mysqli_num_rows($verify_Event_res) < 1) {
//this Event does not exist
$display_block = "<p><em>You have selected an invalid Event.<br/>
Please try again.</em></p>";
} else {
//get the Event ID
while ($Event_info = mysqli_fetch_array($verify_Event_res)) {
	$Event_ID = stripslashes($Event_info['ID']);
	$Event_Name = ($Event_info['Event_Type']);
}


//gather the Events
$get_Event_sql  = "SELECT Verses.ID AS versesID, Verses.Verse, Verses.Sub_Type, Verses.Event, Events.ID AS eventsID, Events.Event_Type, Event_Sub.ID AS event_SubID, Event_Sub.Event_Sub_Type
FROM Verses
LEFT JOIN Events
ON Verses.Event = Events.ID
LEFT JOIN Event_Sub
ON Verses.Sub_Type = Event_Sub.ID
WHERE Verses.Event = '".$_POST["Event_Type"]."' 
ORDER BY Verses.ID ASC";


$get_Event_res = mysqli_query($mysqli, $get_Event_sql) or die(mysqli_error($mysqli));

//create the display string
$display_block = "
<p> The Event Type is <b> 
 '".$Event_Name."'</b> </p>

<table width=\"70%\" cellpadding=\"3\" cellspacing=\"1\" border=\"1\" BGCOLOR=\"#87CEEB\" >
<tr>
<th>ID</th>
<th>VERSE</th>
<th>MOOD/SUB TYPE</th>
<th>Link</th>
</tr>";

while ($Verse_info = mysqli_fetch_array($get_Event_res)) {
	$Verse_id = $Verse_info['versesID'];
	$Verse_text = nl2br(stripslashes($Verse_info['Verse']));
	$Mood_info = $Verse_info['Event_Sub_Type'];

	//add to display
 	$display_block .= "
	<tr>
	<td width=\"1%\" valign=\"top\">".$Verse_id."<br/></td>
	<td width=\"55%\" valign=\"top\">".$Verse_text."<br/></td>
	<td width=\"35%\" valign=\"top\">".$Mood_info."<br/></td>
	<td width=\"9%\" valign=\"top\">
	<form action=\"VInput2.html\" ".method."=\"post\">
	<input type=\"Radio\" name=\"ID\" value=\"".$Verse_id."\"/>


	</td>
	</tr>";
}

//free results
mysqli_free_result($get_Event_res);
mysqli_free_result($verify_Event_res);

//close connection to MySQL
mysqli_close($mysqli);

//close up the table
$display_block .= "
<input type=\"submit\" value=\"SUBMIT\">

</form>
</table>";


}
$_SESSION[iD]=".$_POST.";
?>
<html>
<head>

<title> List of Verses</title>
</head>
<body BGCOLOR="#87CEEB">
<h1>Verses</h1>

<?php echo $display_block; ?>

</body>
</html>

I have tried putting the $_SESSION in various places, but it does not pass the value to the final script.

I reliased that the line had to be put outside of the loop, otherwise it displayed the ID number of the last row in the query.

Here is the final script where I am trying to use the value:

<?php
include("loc_cverse_connect.php");
doDB();
Session_start();

//Get the Card Variables
$Get_Size_sql = "SELECT * FROM `csize` WHERE `Size` ='".$_POST["CSize"]."'";
$Get_Size_res =  mysqli_query($mysqli, $Get_Size_sql) or die(mysqli_error($mysqli));

if (mysqli_num_rows($Get_Size_res) < 1) {
//this Card does not exist
$display_block = "You have selected an invalid Card size.
Please try again.";
} else {
//get the print variables
while ($Size_info = mysqli_fetch_array($Get_Size_res)) {
	$BoxX = stripslashes($Size_info['BoxX']);
	$Cellw = stripslashes($Size_info['Cellw']);
	$Cellh = stripslashes($Size_info['Cellh']);
	$SizeI = stripslashes($Size_info['Size']);
	$SID = stripslashes($Size_info['SID']);
	$floatx = stripslashes($Size_info['floatx']);
	$floaty = stripslashes($Size_info['floaty']);
	$floatw = stripslashes($Size_info['floatw']);
	$floath = stripslashes($Size_info['floath']);
	$ort = stripslashes($Size_info['ort']);
}
	//create the display string
	$display_block = "$ort";
}

//check the variable is being passed through
//if (isset($_SESSION['ID'])){
//echo 'ID is '.$_SESSION['ID'];
//}

//Goto end;
//verify the Event exists
$Get_Verse_sql = "SELECT ID, Event, Sub_Type, Verse FROM Verses WHERE ID = '".$_SESSION["ID"]."'";
$Get_Verse_res =  mysqli_query($mysqli, $Get_Verse_sql) or die(mysqli_error($mysqli));


if (mysqli_num_rows($Get_Verse_res) < 1) {
//this Event does not exist
$display_block = "You have selected an invalid Event.
Please try again.";
} else {
//get the Event ID
while ($Verse_info = mysqli_fetch_array($Get_Verse_res)) {
	$Verse = stripslashes($Verse_info['Verse']);
}
	//create the display string
$display_block = "$Verse";

//free results
mysqli_free_result($Get_Verse_res);
mysqli_free_result($Get_Size_res);
//close connection to MySQL

}

mysqli_close($mysqli);


require('fpdf.php');

class PDF extends FPDF
{
var $B;
var $I;
var $U;
var $HREF;

function PDF($orientation='P', $unit='mm', $size='A4')
{
    // Call parent constructor
    $this->FPDF($orientation,$unit,$size);
    // Initialization
    $this->B = 0;
    $this->I = 0;
    $this->U = 0;
    $this->HREF = '';
}



function SetStyle($tag, $enable)
{
    // Modify style and select corresponding font
    $this->$tag += ($enable ? 1 : -1);
    $style = '';
    foreach(array('B', 'I', 'U') as $s)
    {
        if($this->$s>0)
            $style .= $s;
    }
    $this->SetFont('',$style);
}

}

$color = $_POST[color];
$r = substr($color,0,3);
$g = substr($color,3,3);
$b = substr($color,6,3);
$image=$_POST[image];

$pdf = new PDF($ort,'mm','A4');
$pdf->AddPage();
$pdf->AddFont('French Script MT','','frscript.php');
$pdf->AddFont('Batavia','','Batavia_.php');
$pdf->AddFont('Algerian','','Alger.php');
$pdf->AddFont('Bladerunner','','BLADRMF_.php');
$pdf->AddFont('Brush Script','','BRUSHSCI.php');
$pdf->AddFont('Helterskelter','','Helte___.php');
$pdf->AddFont('Justice','','Justice_.php');
$pdf->AddFont('Magneto','','MAGNETOB.php');
$pdf->AddFont('Old English','','OldEngl.php');
$pdf->AddFont('Sneakerhead Outline','','Sneabo__.php');
$pdf->AddFont('Trendy','','Trendy__.php');
$pdf->AddFont('Vladimir Script','','VLADIMIR.php');
$pdf->SetTextColor($r,$g,$b);
$pdf->SetFont($_POST[fontface],'',$_POST[font]);
$pdf->SetXY($BoxX, $_POST[Top]);
$pdf->Image($image,$floatx,$floaty,$floatw,$floath,jpg,'');
$pdf->MultiCell($Cellw,$Cellh,$display_block,'' ,'C');
$pdf->SetFont('');
$pdf->Output('verse.pdf','D');
//end:
?>

The query output the text that shows that no ID number has been pased to the query.

 

Can anyone help me?

Link to comment
Share on other sites
Christian F. Member

Christian F.

Posted
Posted

  • Damnit.... Wrote a really long post, detailing all of the issues I found in your code, just to lose it in an accidental page refresh. >:(
     
    In short: You have some massive security holes in that code, due to complete lack of input validation and output escaping. The use of "intval ()" and the PHP input filters will help with the first, and for the latter you should read up on "htmlspecialchars ()" and "mysql_real_escape_string ()".
    "stripslashes ()" is completely unnecessary in your script, and a prime example of an
anti-pattern.
Completely unneeded while loop at line 20, as well as freeing of results and closing the database connection.
 
The biggest indication that you might have some issues with the basic syntax however, is this:
$_SESSION[iD] = ".$_POST.";


Where there are no less than 3 issues:

  1. Abuse of "ID" as constant, which will cause problems if it ever gets defined. Always use quotes around string values, which you have done on the second page.
  2. $_POST is an array, the code above will result in $_SESSION['ID'] containing ".Array."
  3. It seems you've fallen victim to an anti-pattern, and misunderstood how to use it on top of that. Some developers, who doesn't really know what they're doing, tend to concatenate string (or numerical) values with empty strings. What they think that's necessary I do not know, but it's a complete waste. (Like opening, closing, opening, walking through, closing, opening and then closing the door, every time you walk through one.)

The correct way to write that line, would have been as follows. Using the data you retrieved from the DB, and thus know to be correct & safe.

$_SESSION['ID'] = $Event_info['ID'];

 

Good points: Good work on the indenting and commenting, as well as parsing all PHP code before sending any HTML to the browser.

 

As for those who said that "session_start ()" needs to be at the very top of the file: No, it doesn't. It is sufficient that no content has been sent to the browser, to allow for the extra headers to be added to the HTTP response. This is fulfilled in this case.

Link to comment
Share on other sites
Pikachu2000 Prolific Member

Pikachu2000

Posted
Posted

"stripslashes ()" is completely unnecessary in your script . . .

 

I don't think you can accurately make that assertion without first verifying that the data was inserted properly and not double-escaped to begin with.

 

More accurately, stripslashes() shouldn't be necessary, and if it is, you're doing something wrong with the data that's being inserted, or php is misconfigured. If that's the case, once the issue is resolved stripslashes() will be unnecessary, unless you're writing code to be compatible with and portable to servers that (for whatever ignorant reason) have magic_quotes_gpc() and/or magic_quotes_runtime() ON.

 

More on magic_quotes: http://www.php.net/manual/en/security.magicquotes.what.php

Link to comment
Share on other sites
  • Solution
rocky48 Advanced Member

rocky48

Posted
  • Author
  • Solution
Posted

Thanks for the input!

I am a relatively new programmer and not that young anymore, so apoligies for my ignorance!

 

With all the comments that ChristianF made I am now overwelmed with the issues regarding the coding.

 

The script worked when I input a number in a text input form, which is the script that runs before the final script, so I know that the query to the database works OK.

I know that the coding is not that well written and may not be that secure, but it worked before I tried to modify it to choose the verse within the table in the PHP script I listed first.

I have taken your advice and changed the line: 

$_SESSION['ID'] = $Event_info['ID'];

, but the ID value is not picked up by the final script.

If I can get this working then I will look at making the script more secure.

 

Any more suggestions?

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.