rocky48 Posted July 28, 2012 Share Posted July 28, 2012 I have written a script that queries a MYSQL database and the query is output as a table. In this table I have managed to add a 'Radio' button to each row of the table. When I submit I want the value stored for use in a later script. I have been avised that the best way to do this is using $_SESSION. Here is the script that outputs the query: <?php include("Loc_cverse_connect.php"); doDB(); Session_start(); //verify the Event exists $verify_Event_sql = "SELECT ID, Event_Type FROM Events WHERE ID = '".$_POST["Event_Type"]."'"; $verify_Event_res = mysqli_query($mysqli, $verify_Event_sql) or die(mysqli_error($mysqli)); //echo $_POST["Event_Type"]; if (mysqli_num_rows($verify_Event_res) < 1) { //this Event does not exist $display_block = "<p><em>You have selected an invalid Event.<br/> Please try again.</em></p>"; } else { //get the Event ID while ($Event_info = mysqli_fetch_array($verify_Event_res)) { $Event_ID = stripslashes($Event_info['ID']); $Event_Name = ($Event_info['Event_Type']); } //gather the Events $get_Event_sql = "SELECT Verses.ID AS versesID, Verses.Verse, Verses.Sub_Type, Verses.Event, Events.ID AS eventsID, Events.Event_Type, Event_Sub.ID AS event_SubID, Event_Sub.Event_Sub_Type FROM Verses LEFT JOIN Events ON Verses.Event = Events.ID LEFT JOIN Event_Sub ON Verses.Sub_Type = Event_Sub.ID WHERE Verses.Event = '".$_POST["Event_Type"]."' ORDER BY Verses.ID ASC"; $get_Event_res = mysqli_query($mysqli, $get_Event_sql) or die(mysqli_error($mysqli)); //create the display string $display_block = " <p> The Event Type is <b> '".$Event_Name."'</b> </p> <table width=\"70%\" cellpadding=\"3\" cellspacing=\"1\" border=\"1\" BGCOLOR=\"#87CEEB\" > <tr> <th>ID</th> <th>VERSE</th> <th>MOOD/SUB TYPE</th> <th>Link</th> </tr>"; while ($Verse_info = mysqli_fetch_array($get_Event_res)) { $Verse_id = $Verse_info['versesID']; $Verse_text = nl2br(stripslashes($Verse_info['Verse'])); $Mood_info = $Verse_info['Event_Sub_Type']; //add to display $display_block .= " <tr> <td width=\"1%\" valign=\"top\">".$Verse_id."<br/></td> <td width=\"55%\" valign=\"top\">".$Verse_text."<br/></td> <td width=\"35%\" valign=\"top\">".$Mood_info."<br/></td> <td width=\"9%\" valign=\"top\"> <form action=\"VInput2.html\" ".method."=\"post\"> <input type=\"Radio\" name=\"ID\" value=\"".$Verse_id."\"/> </td> </tr>"; } //free results mysqli_free_result($get_Event_res); mysqli_free_result($verify_Event_res); //close connection to MySQL mysqli_close($mysqli); //close up the table $display_block .= " <input type=\"submit\" value=\"SUBMIT\"> </form> </table>"; } $_SESSION[iD]=".$_POST."; ?> <html> <head> <title> List of Verses</title> </head> <body BGCOLOR="#87CEEB"> <h1>Verses</h1> <?php echo $display_block; ?> </body> </html> I have tried putting the $_SESSION in various places, but it does not pass the value to the final script. I reliased that the line had to be put outside of the loop, otherwise it displayed the ID number of the last row in the query. Here is the final script where I am trying to use the value: <?php include("loc_cverse_connect.php"); doDB(); Session_start(); //Get the Card Variables $Get_Size_sql = "SELECT * FROM `csize` WHERE `Size` ='".$_POST["CSize"]."'"; $Get_Size_res = mysqli_query($mysqli, $Get_Size_sql) or die(mysqli_error($mysqli)); if (mysqli_num_rows($Get_Size_res) < 1) { //this Card does not exist $display_block = "You have selected an invalid Card size. Please try again."; } else { //get the print variables while ($Size_info = mysqli_fetch_array($Get_Size_res)) { $BoxX = stripslashes($Size_info['BoxX']); $Cellw = stripslashes($Size_info['Cellw']); $Cellh = stripslashes($Size_info['Cellh']); $SizeI = stripslashes($Size_info['Size']); $SID = stripslashes($Size_info['SID']); $floatx = stripslashes($Size_info['floatx']); $floaty = stripslashes($Size_info['floaty']); $floatw = stripslashes($Size_info['floatw']); $floath = stripslashes($Size_info['floath']); $ort = stripslashes($Size_info['ort']); } //create the display string $display_block = "$ort"; } //check the variable is being passed through //if (isset($_SESSION['ID'])){ //echo 'ID is '.$_SESSION['ID']; //} //Goto end; //verify the Event exists $Get_Verse_sql = "SELECT ID, Event, Sub_Type, Verse FROM Verses WHERE ID = '".$_SESSION["ID"]."'"; $Get_Verse_res = mysqli_query($mysqli, $Get_Verse_sql) or die(mysqli_error($mysqli)); if (mysqli_num_rows($Get_Verse_res) < 1) { //this Event does not exist $display_block = "You have selected an invalid Event. Please try again."; } else { //get the Event ID while ($Verse_info = mysqli_fetch_array($Get_Verse_res)) { $Verse = stripslashes($Verse_info['Verse']); } //create the display string $display_block = "$Verse"; //free results mysqli_free_result($Get_Verse_res); mysqli_free_result($Get_Size_res); //close connection to MySQL } mysqli_close($mysqli); require('fpdf.php'); class PDF extends FPDF { var $B; var $I; var $U; var $HREF; function PDF($orientation='P', $unit='mm', $size='A4') { // Call parent constructor $this->FPDF($orientation,$unit,$size); // Initialization $this->B = 0; $this->I = 0; $this->U = 0; $this->HREF = ''; } function SetStyle($tag, $enable) { // Modify style and select corresponding font $this->$tag += ($enable ? 1 : -1); $style = ''; foreach(array('B', 'I', 'U') as $s) { if($this->$s>0) $style .= $s; } $this->SetFont('',$style); } } $color = $_POST[color]; $r = substr($color,0,3); $g = substr($color,3,3); $b = substr($color,6,3); $image=$_POST[image]; $pdf = new PDF($ort,'mm','A4'); $pdf->AddPage(); $pdf->AddFont('French Script MT','','frscript.php'); $pdf->AddFont('Batavia','','Batavia_.php'); $pdf->AddFont('Algerian','','Alger.php'); $pdf->AddFont('Bladerunner','','BLADRMF_.php'); $pdf->AddFont('Brush Script','','BRUSHSCI.php'); $pdf->AddFont('Helterskelter','','Helte___.php'); $pdf->AddFont('Justice','','Justice_.php'); $pdf->AddFont('Magneto','','MAGNETOB.php'); $pdf->AddFont('Old English','','OldEngl.php'); $pdf->AddFont('Sneakerhead Outline','','Sneabo__.php'); $pdf->AddFont('Trendy','','Trendy__.php'); $pdf->AddFont('Vladimir Script','','VLADIMIR.php'); $pdf->SetTextColor($r,$g,$b); $pdf->SetFont($_POST[fontface],'',$_POST[font]); $pdf->SetXY($BoxX, $_POST[Top]); $pdf->Image($image,$floatx,$floaty,$floatw,$floath,jpg,''); $pdf->MultiCell($Cellw,$Cellh,$display_block,'' ,'C'); $pdf->SetFont(''); $pdf->Output('verse.pdf','D'); //end: ?> The query output the text that shows that no ID number has been pased to the query. Can anyone help me? Quote Link to comment Share on other sites More sharing options...
lordshoa Posted July 28, 2012 Share Posted July 28, 2012 Not sure what your posting with $_POST does it = anything ? $_SESSION[iD]=".$_POST."; $_SESSION[iD]=".$_POST[iD]."; Quote Link to comment Share on other sites More sharing options...
mikhl Posted July 28, 2012 Share Posted July 28, 2012 I think that session_start() has to be at the very top of every page that uses it. Make sure it's all lower case too Quote Link to comment Share on other sites More sharing options...
Drongo_III Posted July 28, 2012 Share Posted July 28, 2012 Also is it a good idea to straight include unescaped $_POST data in your queries? Just a thought. Quote Link to comment Share on other sites More sharing options...
Christian F. Posted July 28, 2012 Share Posted July 28, 2012 Damnit.... Wrote a really long post, detailing all of the issues I found in your code, just to lose it in an accidental page refresh. In short: You have some massive security holes in that code, due to complete lack of input validation and output escaping. The use of "intval ()" and the PHP input filters will help with the first, and for the latter you should read up on "htmlspecialchars ()" and "mysql_real_escape_string ()". "stripslashes ()" is completely unnecessary in your script, and a prime example of an anti-pattern. Completely unneeded while loop at line 20, as well as freeing of results and closing the database connection. The biggest indication that you might have some issues with the basic syntax however, is this:$_SESSION[iD] = ".$_POST."; Where there are no less than 3 issues: Abuse of "ID" as constant, which will cause problems if it ever gets defined. Always use quotes around string values, which you have done on the second page. $_POST is an array, the code above will result in $_SESSION['ID'] containing ".Array." It seems you've fallen victim to an anti-pattern, and misunderstood how to use it on top of that. Some developers, who doesn't really know what they're doing, tend to concatenate string (or numerical) values with empty strings. What they think that's necessary I do not know, but it's a complete waste. (Like opening, closing, opening, walking through, closing, opening and then closing the door, every time you walk through one.) The correct way to write that line, would have been as follows. Using the data you retrieved from the DB, and thus know to be correct & safe. $_SESSION['ID'] = $Event_info['ID']; Good points: Good work on the indenting and commenting, as well as parsing all PHP code before sending any HTML to the browser. As for those who said that "session_start ()" needs to be at the very top of the file: No, it doesn't. It is sufficient that no content has been sent to the browser, to allow for the extra headers to be added to the HTTP response. This is fulfilled in this case. Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted July 28, 2012 Share Posted July 28, 2012 "stripslashes ()" is completely unnecessary in your script . . . I don't think you can accurately make that assertion without first verifying that the data was inserted properly and not double-escaped to begin with. More accurately, stripslashes() shouldn't be necessary, and if it is, you're doing something wrong with the data that's being inserted, or php is misconfigured. If that's the case, once the issue is resolved stripslashes() will be unnecessary, unless you're writing code to be compatible with and portable to servers that (for whatever ignorant reason) have magic_quotes_gpc() and/or magic_quotes_runtime() ON. More on magic_quotes: http://www.php.net/manual/en/security.magicquotes.what.php Quote Link to comment Share on other sites More sharing options...
Solution rocky48 Posted July 29, 2012 Author Solution Share Posted July 29, 2012 Thanks for the input! I am a relatively new programmer and not that young anymore, so apoligies for my ignorance! With all the comments that ChristianF made I am now overwelmed with the issues regarding the coding. The script worked when I input a number in a text input form, which is the script that runs before the final script, so I know that the query to the database works OK. I know that the coding is not that well written and may not be that secure, but it worked before I tried to modify it to choose the verse within the table in the PHP script I listed first. I have taken your advice and changed the line: $_SESSION['ID'] = $Event_info['ID']; , but the ID value is not picked up by the final script. If I can get this working then I will look at making the script more secure. Any more suggestions? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.