CB150Special Posted August 7, 2017 Share Posted August 7, 2017 I've tried a few options, needless to say, none worked. I have a routine that is common to two HTML pages. I'm trying to pass a variable to that routine using $_SESSION['bikeID'] but can't get anchor one to work. <td><a href='mem_bike.php?$_SESSION["bikeID"]=<?php echo $row_bikes['BikeID'];?>' > Any suggestionsThanks. Quote Link to comment https://forums.phpfreaks.com/topic/304536-session-variable-and-anchor/ Share on other sites More sharing options...
requinix Posted August 7, 2017 Share Posted August 7, 2017 I can barely even tell what you're trying to do with that. If the bikeID varies, like whatever page you're on now shows multiple bikes and the user is going to mem_bike.php for a particular one, then the session is not appropriate. Put the bikeID in the URL like ' >then have mem_bike.php use $_GET["bikeID"]. No sessions. If the bikeID is the same value all across the site, and it's tied to the user, then go ahead and put it in the session. When it's in the session you don't have to put it in any URLs. You get it in $_SESSION for free. Quote Link to comment https://forums.phpfreaks.com/topic/304536-session-variable-and-anchor/#findComment-1549373 Share on other sites More sharing options...
CB150Special Posted August 7, 2017 Author Share Posted August 7, 2017 I've used what you have suggested but that only solves the one form.. I have another table that lists bikes and that needs to look up each bike and populate some of the fields. I was hoping to use the same routine for both. Currently I use both below and am looking for a way to make it into one. $sql_bike = 'SELECT * FROM bikes WHERE BikeID = "'.$_GET['bikeID'].'"'; $sql_bike = 'SELECT * FROM bikes WHERE BikeID = "'.$_SESSION['bikeID'].'"'; The second form is quite a complex one. Just for interest. while($row_event_mem = mysqli_fetch_array($tbl_event_mem)){ // members may have more than one bike. for ($i =1; $i < 31; $i++ ){ if (!empty($row_event_mem['RaceClassName'.$i])){ $_SESSION['bikeID'] = $row_event_mem['BikeID'.$i]; require ('sql_get_event_bike.php'); ?> <tr> <td><?php echo $row_ctr;?></td> <td><?php echo $row_event_mem['MemName'];?></td> <td><?php echo $row_event_mem['RaceNo'];?></td> <td><?php echo $row_event_mem['RaceClassName'.$i];?></td> <?php if ($tbl_bike->num_rows > 0 ){ ?> <td><?php echo $row_bike['Make'];?></td> <td><?php echo $row_bike['Model'];?></td> <?php }?> </tr> <?php $row_ctr++; } } } Is there another way of doing this ? Maybe if I use this before the SQL query and then use the 2nd option. if ($_GET['bikeID'] <> ''{ $_SESSION['bikeID']=$_GET['bikeID'] } Thanks. Quote Link to comment https://forums.phpfreaks.com/topic/304536-session-variable-and-anchor/#findComment-1549374 Share on other sites More sharing options...
CB150Special Posted August 7, 2017 Author Share Posted August 7, 2017 This appears to work. if (isset($_GET['bikeID'])){ $_SESSION['bikeID']=$_GET['bikeID']; } //// $sql_bike = 'SELECT * FROM bikes WHERE BikeID = "'.$_SESSION['bikeID'].'"'; Quote Link to comment https://forums.phpfreaks.com/topic/304536-session-variable-and-anchor/#findComment-1549375 Share on other sites More sharing options...
cyberRobot Posted August 7, 2017 Share Posted August 7, 2017 If you haven't done so already, you'll want to look into prepared statements to prevent SQL Injection attacks. More information can be found here: http://php.net/manual/en/mysqli.quickstart.prepared-statements.php Or at least use mysqli_real_escape_string(). More information here: http://php.net/manual/en/mysqli.real-escape-string.php Quote Link to comment https://forums.phpfreaks.com/topic/304536-session-variable-and-anchor/#findComment-1549383 Share on other sites More sharing options...
Jacques1 Posted August 7, 2017 Share Posted August 7, 2017 (edited) He has been told that at least 10 times. Literally. I think the current consensus is that he cannot learn. Edited August 7, 2017 by Jacques1 Quote Link to comment https://forums.phpfreaks.com/topic/304536-session-variable-and-anchor/#findComment-1549386 Share on other sites More sharing options...
CB150Special Posted August 8, 2017 Author Share Posted August 8, 2017 (edited) He has been told that at least 10 times. Literally. I think the current consensus is that he cannot learn. it is only your consensus at this point. By the same token, neither can you learn. Comments like these do nothing for anyone. If you read any books about teaching, coaching, etc you have to win the trust of your student before they will listen to you. Your comments earn very little trust. I can say you spend too much time 'answering' every ones posts, you need to get out more. Chances are you wont listen to me unless you have trust in me. Edited August 8, 2017 by CB150Special Quote Link to comment https://forums.phpfreaks.com/topic/304536-session-variable-and-anchor/#findComment-1549448 Share on other sites More sharing options...
CB150Special Posted August 8, 2017 Author Share Posted August 8, 2017 I If you haven't done so already, you'll want to look into prepared statements to prevent SQL Injection attacks. More information can be found here: http://php.net/manual/en/mysqli.quickstart.prepared-statements.php Or at least use mysqli_real_escape_string(). More information here: http://php.net/manual/en/mysqli.real-escape-string.php I have looked at prepared statements and it is not high in my priority list at the moment. Something new to learn. I will rise later but I'm still getting my head around CSS HTML PHP etc. I really takes a while to understand enough to make a few things work. I do use mysqli_real_escape_string() in some routines, however bikeID is a value derived from a SQL field. If there is no user input field to enter information, is there still a possibility of a SQL Injection attack ? Quote Link to comment https://forums.phpfreaks.com/topic/304536-session-variable-and-anchor/#findComment-1549450 Share on other sites More sharing options...
Jacques1 Posted August 8, 2017 Share Posted August 8, 2017 First off, the point of prepared statements and escaping is to separate the data from the surrounding language context and prevent syntax conflicts. If you don't know what that means, try to insert "O'Reilly" into a single-quoted SQL string. This has nothing to do with "attacks". It's not an "attack" to be named O'Reilly. The problem here is a software defect caused by naive programming. Of course prepared statements can also prevent attacks. But the primary goal is code correctness -- the fact that correct software happens to be more robust against attacks is a nice side effect. Secondly, assuming that values from the database are somehow inherently secure is wrong and can leave your application wide open to second-order injections. You shouldn't make any assumptions about whether or not a value is "secure". a) you're missing the point (see above), b) your assessment may very well be wrong (attackers often have a lot more fantasy than the average PHP programmer) and c) constantly switching between escaped and unescaped values will sooner or later lead to a mistake. The correct approach is to always use parameters, unless the string is explicitly supposed to contain an SQL fragment. This is true for every language, not just SQL. It's the same with HTML, XML, shell commands etc. If you read any books about teaching, coaching, etc you have to win the trust of your student before they will listen to you. Your learning theories are bullshit. The truth is that you haven't made any significant progress. Several very knowledgeable users have spent a lot of time explaining the same basics over and over again, and they've been exceptionally patient and friendly. None of this has helped. You've either simply ignored them or come up with all kinds of reasons for why their advice isn't relevant. So how about you stop blaming everybody else and realize that the problem is you. PHP isn't rocket science. Somebody who already has prior programming experience can definitely learn to write decent code in a few weeks. However, learning requires motivation and the willingness to shut up and listen. You don't have that. Whenever somebody points out a mistake, you make it anyway. Whenever you get important information, you brush it off, assuming that you somehow know better. With that attitude, you may be able to produce code. But you won't learn how to program. Quote Link to comment https://forums.phpfreaks.com/topic/304536-session-variable-and-anchor/#findComment-1549459 Share on other sites More sharing options...
mac_gyver Posted August 8, 2017 Share Posted August 8, 2017 I do use mysqli_real_escape_string() in some routines, however bikeID is a value derived from a SQL field. If there is no user input field to enter information, is there still a possibility of a SQL Injection attack ? of course. any value can be submitted to your code, and therefore cannot be trusted, because anyone or a bot script can create and send your web pages anything they want when they request your pages. people or bot scripts don't need your form(s) or your link(s) to request your pages. while($row_event_mem = mysqli_fetch_array($tbl_event_mem)){ // members may have more than one bike. for ($i =1; $i < 31; $i++ ){ if (!empty($row_event_mem['RaceClassName'.$i])){ $_SESSION['bikeID'] = $row_event_mem['BikeID'.$i]; ^^^ this indicates a bad database design, where you are trying to use a database table like it is a spread sheet. using a series of numbered columns requires more code to perform any operation on the data and wastes storage. you should be storing each data item as a separate row in a table, not in numbered columns in a single row. this will simplify and speed up all your code. Quote Link to comment https://forums.phpfreaks.com/topic/304536-session-variable-and-anchor/#findComment-1549463 Share on other sites More sharing options...
cyberRobot Posted August 8, 2017 Share Posted August 8, 2017 I do use mysqli_real_escape_string() in some routines, however bikeID is a value derived from a SQL field. If there is no user input field to enter information, is there still a possibility of a SQL Injection attack ? As I think mac_gyver is alluding to, the $_GET variable below can be modified by anyone: $_SESSION['bikeID'] = $_GET['bikeID']; If "bikeID" is hard-coded in a website link, for example, a user could modify your source code before clicking the link. Or GET variables typically appear in the address bar after a link is clicked. The user could modify it after the fact. Quote Link to comment https://forums.phpfreaks.com/topic/304536-session-variable-and-anchor/#findComment-1549465 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.