Jump to content

session variable and anchor


CB150Special

Recommended Posts

I've tried a few options, needless to say, none worked.

 

I have a routine that is common to two HTML pages.   I'm trying to pass a variable to that routine using $_SESSION['bikeID']  but can't get anchor one to work. 

<td><a href='mem_bike.php?$_SESSION["bikeID"]=<?php echo $row_bikes['BikeID'];?>'  >

Any suggestions

Thanks.

 

Link to comment
Share on other sites

I can barely even tell what you're trying to do with that.

 

If the bikeID varies, like whatever page you're on now shows multiple bikes and the user is going to mem_bike.php for a particular one, then the session is not appropriate. Put the bikeID in the URL like

'  >then have mem_bike.php use $_GET["bikeID"]. No sessions.

 

If the bikeID is the same value all across the site, and it's tied to the user, then go ahead and put it in the session. When it's in the session you don't have to put it in any URLs. You get it in $_SESSION for free.

Link to comment
Share on other sites

I've used what you have suggested but that only solves the one form.. 

 

I have another table that lists bikes and that needs to look up each bike and populate some of the fields.  I was hoping to use the same routine for both.

 

Currently I use both below and am looking for a way to make it into one. 

        $sql_bike = 'SELECT * FROM bikes WHERE BikeID = "'.$_GET['bikeID'].'"';
        $sql_bike = 'SELECT * FROM bikes WHERE BikeID = "'.$_SESSION['bikeID'].'"';

The second form is quite a complex one.

 

Just for interest.

while($row_event_mem = mysqli_fetch_array($tbl_event_mem)){  // members may have more than one bike. 
                    for ($i =1; $i < 31; $i++ ){ 
                        if (!empty($row_event_mem['RaceClassName'.$i])){
                            $_SESSION['bikeID'] = $row_event_mem['BikeID'.$i];
                            require ('sql_get_event_bike.php');     
                            ?>
                            <tr>
                                <td><?php echo $row_ctr;?></td>                                
                                <td><?php echo $row_event_mem['MemName'];?></td>
                                <td><?php echo $row_event_mem['RaceNo'];?></td>                        
                                <td><?php echo $row_event_mem['RaceClassName'.$i];?></td>   
                                <?php  if ($tbl_bike->num_rows > 0 ){ ?>                                
                                    <td><?php echo $row_bike['Make'];?></td>                             
                                    <td><?php echo $row_bike['Model'];?></td>     
                                <?php }?>    
                            </tr> 
                            <?php 
                        $row_ctr++;
                        }
                    } 
                }    

Is there another way of doing this ?  Maybe if I use this before the SQL query and then use the 2nd option.

if ($_GET['bikeID'] <> ''{
    $_SESSION['bikeID']=$_GET['bikeID']
}

Thanks.

Link to comment
Share on other sites

He has been told that at least 10 times. Literally. I think the current consensus is that he cannot learn.

it is only your consensus at this point. By the same token, neither can you learn. Comments like these do nothing for anyone. If you read any books about teaching, coaching, etc you have to win the trust of your student before they will listen to you. Your comments earn very little trust.

 

I can say you spend too much time 'answering' every ones posts, you need to get out more. Chances are you wont listen to me unless you have trust in me.

Link to comment
Share on other sites

I

 

If you haven't done so already, you'll want to look into prepared statements to prevent SQL Injection attacks. More information can be found here:

http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

 

Or at least use mysqli_real_escape_string(). More information here:

http://php.net/manual/en/mysqli.real-escape-string.php

I have looked at prepared statements and it is not high in my priority list at the moment. Something new to learn. I will rise later but I'm still getting my head around CSS HTML PHP etc. I really takes a while to understand enough to make a few things work.

 

I do use mysqli_real_escape_string() in some routines, however bikeID is a value derived from a SQL field. If there is no user input field to enter information, is there still a possibility of a  SQL Injection attack ? 

Link to comment
Share on other sites

First off, the point of prepared statements and escaping is to separate the data from the surrounding language context and prevent syntax conflicts. If you don't know what that means, try to insert "O'Reilly" into a single-quoted SQL string.

 

This has nothing to do with "attacks". It's not an "attack" to be named O'Reilly. The problem here is a software defect caused by naive programming.

 

Of course prepared statements can also prevent attacks. But the primary goal is code correctness -- the fact that correct software happens to be more robust against attacks is a nice side effect.

 

Secondly, assuming that values from the database are somehow inherently secure is wrong and can leave your application wide open to second-order injections. You shouldn't make any assumptions about whether or not a value is "secure". a) you're missing the point (see above), b) your assessment may very well be wrong (attackers often have a lot more fantasy than the average PHP programmer) and c) constantly switching between escaped and unescaped values will sooner or later lead to a mistake.

 

The correct approach is to always use parameters, unless the string is explicitly supposed to contain an SQL fragment.

 

This is true for every language, not just SQL. It's the same with HTML, XML, shell commands etc.

 

 

 

If you read any books about teaching, coaching, etc you have to win the trust of your student before they will listen to you.

 

Your learning theories are bullshit.

 

The truth is that you haven't made any significant progress. Several very knowledgeable users have spent a lot of time explaining the same basics over and over again, and they've been exceptionally patient and friendly. None of this has helped. You've either simply ignored them or come up with all kinds of reasons for why their advice isn't relevant.

 

So how about you stop blaming everybody else and realize that the problem is you. PHP isn't rocket science. Somebody who already has prior programming experience can definitely learn to write decent code in a few weeks. However, learning requires motivation and the willingness to shut up and listen. You don't have that. Whenever somebody points out a mistake, you make it anyway. Whenever you get important information, you brush it off, assuming that you somehow know better.

 

With that attitude, you may be able to produce code. But you won't learn how to program.

Link to comment
Share on other sites

I do use mysqli_real_escape_string() in some routines, however bikeID is a value derived from a SQL field. If there is no user input field to enter information, is there still a possibility of a  SQL Injection attack ? 

 

of course. any value can be submitted to your code, and therefore cannot be trusted, because anyone or a bot script can create and send your web pages anything they want when they request your pages. people or bot scripts don't need your form(s) or your link(s) to request your pages.

 

while($row_event_mem = mysqli_fetch_array($tbl_event_mem)){  // members may have more than one bike. 
                    for ($i =1; $i < 31; $i++ ){ 
                        if (!empty($row_event_mem['RaceClassName'.$i])){
                            $_SESSION['bikeID'] = $row_event_mem['BikeID'.$i];

 

 

^^^ this indicates a bad database design, where you are trying to use a database table like it is a spread sheet. using a series of numbered columns requires more code to perform any operation on the data and wastes storage.

 

you should be storing each data item as a separate row in a table, not in numbered columns in a single row. this will simplify and speed up all your code.

Link to comment
Share on other sites

I do use mysqli_real_escape_string() in some routines, however bikeID is a value derived from a SQL field. If there is no user input field to enter information, is there still a possibility of a  SQL Injection attack ? 

 

As I think mac_gyver is alluding to, the $_GET variable below can be modified by anyone:

$_SESSION['bikeID'] = $_GET['bikeID'];

If "bikeID" is hard-coded in a website link, for example, a user could modify your source code before clicking the link. Or GET variables typically appear in the address bar after a link is clicked. The user could modify it after the fact.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.