Get value and store as variable

[elite311]

Hi I'm hoping someone can help me with this, I'm trying to get a value from my sql query and store it as variable so I can use it in the url but I'm not quite sure how to do it.

 

Right now when I click the edit button I set the id to the asset number in the url (ie edituseloc.php?id=H802) I use this to query the info related to that asset number. When I save the changes I want to redirect back to a page where the asset is located (ie job number locationinfo.php?id=215) the problem is I have to have the job number passed back to the url when it redirects and I'm not sure how to get that value into the header line with the "updated=1"

 

Right now when I run this all I get in the header is locationinfo.php?id=&updated=1 which is almost correct I just need to add the job number in as the id.

 

I have this right now:

$assetresult = $db->fetch_all_array("SELECT * FROM assets WHERE asset = '".$_GET['id']."'");

$site = $assetresult->currentjob; 

if(isset($_POST['updateit']))
{
$db->query("UPDATE assets
			SET pmcount = '".$_POST['avguse']."',
			updatedby = '{$_SESSION['username']}',
			updateddate = NOW()
			WHERE id = '".$_POST['id']."'")
			or die(mysql_error());

header("Location: locationinfo.php?id=$site&updated=1");
exit();
}

 

[Jessica]

What db library are you using?

do a print_r($assetresult);

[elite311]

I get:

Array ( [0] => Array ( [id] => 336 [asset] => H802 [currentjob] => 215 [pmcount] => 8 [category] => Aerial [descrip] => Scissor Lift 20' Elec [year] => 2005 [make] => Skyjack [model] => SJ3220 [serial] => 614441 [createdby] => loderd [createddate] => 2012-09-06 15:50:01 [updatedby] => loderd [updateddate] => 2012-09-06 15:50:01 ) ) 

 

I'm using Database.class.php from ricocheting.com

[Jessica]

So, you can see from your results that $assetresult is a multidimensional array, not an object.

First, you need to turn on error_reporting set to E_ALL.

Secondly, look if your DB library has docs on how to handle results.

You'll either need to use some functions from the library, or do

$site = $assetresult[0]['currentjob'];

[elite311]

That didn't work, looks like I have some reading to do to see if I can figure this out.

 

Thanks

[Jessica]

If the output of the print_r you posted is what you really got, then yes that will work. If it doesn't, post your updated code so we can see.

[elite311]

I copied and pasted the results of the print_r I did, this is what my code looks like now.

 

$assetresult = $db->fetch_all_array("SELECT * FROM assets WHERE asset = '".$_GET['id']."'");

$site = $assetresult[0]['currentjob'];

if(isset($_POST['updateit']))
{
$db->query("UPDATE assets
			SET pmcount = '".$_POST['avguse']."',
			updatedby = '{$_SESSION['username']}',
			updateddate = NOW()
			WHERE id = '".$_POST['id']."'")
			or die(mysql_error());

header("Location: locationinfo.php?id=$site&updated=1");
exit();
}

?>

[elite311]

When I do print_r($site); I get the proper result, am I writing this incorrectly in the header to get the value?

[Jessica]

change header("Location: locationinfo.php?id=$site&updated=1"); to die("Location: locationinfo.php?id=$site&updated=1"); what does it print?

 

Once you get this fixed you need to read about SQL injection, btw.

[elite311]

it prints

 

Location: locationinfo.php?id=&updated=1

 

Ya I have started reading about it, I realize I'm probably doing some things wrong but just learning still.

[Jessica]

But you said when you echo $site it shows the value? And there's no other code?

[elite311]

Yup I have the print_r($site); in the code and it shows 215 which is correct.

 

The whole file looks like this:

<?php

session_start();

if($_SESSION['loggedin'] == TRUE)
if($_SESSION['auth_lvl'] > 5) { 

}else{

header("Location: index.php");

}

include('admin/includes/config.php');
include('admin/includes/database.class.php');
include('admin/includes/functions.php');

$db = new Database($db_host, $db_username, $db_password, $db_database, $db_table_prefix);
$db -> connect();

$assetresult = $db->fetch_all_array("SELECT * FROM assets WHERE asset = '".$_GET['id']."'");

$site = $assetresult[0]['currentjob'];

if(isset($_POST['updateit']))
{
$db->query("UPDATE assets
			SET pmcount = '".$_POST['avguse']."',
			updatedby = '{$_SESSION['username']}',
			updateddate = NOW()
			WHERE id = '".$_POST['id']."'")
			or die(mysql_error());

die("Location: locationinfo.php?id=$site&updated=1");
exit();
}

print_r($site);

?>

[PFMaBiSmAd]

The header() redirect is inside of some post mode form processing code. There's no guarantee that at the time the form has been submitted that $_GET['id'], that is used in the select query, has a value.

 

Your code has NO validation/casting/escaping of external data to insure that any of that data even has a value, and a safe one, before attempting to use it. If all the code you have been posting requires there to be a $_GET['id']/asset value, then all that code should be inside of a conditional statement that has checked that there is an expected $_GET['id'] value.

 

edit: P.S. Your log in check code is not secure. You need an exit; statement after the header() redirect to prevent the remainder of the 'protected' code from running. All a hacker needs to do is ignore the header redirect and he can access that page the same as if he was logged in.

[elite311]

I understand what you mean, the value might not be there even though it shows before the form is submitted.

 

I have a lot of learning to do obviously, but your post made me think about a different solution and I managed to get it to work. Although its probably not the best way to do it, thank you 2 for helping I really appreciate it.

 

On my form I added:

<input type="hidden" name="job" value="<?php echo $assetinfo['currentjob'];?>" />

 

And I changed:

$site = $assetresult[0]['currentjob'];

to

$site = $_POST['job'];