Jump to content

How do I get the ID from 1 page to another?

derrick1123

By derrick1123
in PHP Coding Help

Recommended Posts

derrick1123 Member

derrick1123

Posted
Posted

<?php

$id = $_POST['id'];

$step = $_POST['step'];

 

if($step==0 || $step==""){

echo "Choose your id";

 

echo "<form method='POST' action='update.php'>";

echo "<input type='hidden' value='1' name='step'>";

echo "ID #:<input type='text' name='id' size=30><br>";

echo "<input type='submit' value='Update Memo'>";

echo "</form>";

}

if($step==1){

$result = mysql_query("SELECT * FROM remember WHERE id=$id LIMIT 1");

while($row = mysql_fetch_array($result))

  {

  $id = $_POST['id'];

  $name = $row['name'];

  $email = $row['email'];

  $website = $row['website'];

  $msg = $row['msg'];

//show input

echo "<b>Remember Information:<br></b>";

 

//form

echo "<form method='POST' action='update2.php'>";

echo "<input type='hidden' value='1' name='step'>";

echo "<input type='hidden' value='$id'>";

echo "A Name:<input type='text' name='name' value='$name' size=30><b>*</b><br>";

echo "An Email:<input type='text' name='email' value='$email' size=30><br>";

echo "A Website:<input type='text' name='website' value='$website' size=30><br>";

echo "Memo:<br><textarea cols='30' rows='6' name='msg' wrapping='virtual'>$msg</textarea><b>*</b><br>";

echo "<input type='submit' value='Update Memo'>";

echo "</form>";

echo "* required";

echo "<br><br><br>Created by <a href='http://smfhost.info'>derrick1123</a>";

}

}

?>

 

<?php

$step = $_POST['step'];

$name = $_POST['name'];

$msg = $_POST['msg'];

$email = $_POST['email'];

$website = $_POST['website'];

$id = $_POST['id'];

 

 

if($step==1 || $step==""){

//show the thumbs up

$q = "UPDATE remember WHERE id=$id SET msg=$msg, name=$name, email=$email, website=$website, time=$time";

$go = mysql_query($q);

 

if(!$go){

echo "SHIT!!! Something went wrong.";

echo "<br><br><br>Created by <a href='http://smfhost.info'>derrick1123</a>";

} else {

echo "YAY!!! Your message got updated!";

echo "<br><br><br>Created by <a href='http://smfhost.info'>derrick1123</a>";

}

}

}

?>

 

I keep getting the:

echo "SHIT!!! Something went wrong.";

...I think it is because my ID is not getting from 1 page to the other...but I am not 100% sure.

derrick1123 Member

derrick1123

Posted
  • Author
Posted

How so? I am barely scratching the surface of PHP...I knew there was injections...but how?

 

EDIT:

 

It still isn't working  :-\

...I think it has to do with something in:

$q = "UPDATE remember WHERE id=$id SET msg=$msg, name=$name, email=$email, website=$website, time=$time";

Orio Member

Orio

Posted
Posted

The "WHERE" should come after the "SET".

 

<?php
$q = "UPDATE remember SET msg=$msg, name=$name, email=$email, website=$website, time=$time WHERE id='$id'";
$go = mysql_query($q) or die(mysql_error());
?>

 

 

As for your security...

I'll point out a few:

 

1) $step

<?php
$step = $_POST['step'];
//... Some more code ...
if($step==1 || $step==""){
?>

 

If $_POST['step'] is not defined (For example, someone directly goes to update2), because of the assignment "$step = $_POST['step'];" $step will be assigned with the empty string. So it doesn't really matter if someone has pressed submit in update.php or just directly accessed update2, the if would be true in any case...

 

2) Your hiddens...

If someone copies the source of update (after the first submition, when you have the hiddens), he can give them any value he wants... So he could easily inject your database and do what ever he wants...

 

3) No escaping.

I didn't see you use mysql_real_escape_string() or at least addslashes() before inserting the user input into the database. You can't rely on magic_quotes. Strip those (if they exist) and use mysql_real_escape_string().

 

 

Orio.

papaface Advanced Member

papaface

Posted
Posted

Use sessions. Never use hidden fields.

 

Never use hidden fields? Hidden fields can have great uses, but you have to use them wisely.

In this case, I agree. Sessions is the way to go. But imo it's wrong to say "Never use hidden fields"...

 

Orio.

I meant never use hidden fields for the purpose of passing information between pages. Its just messy.

derrick1123 Member

derrick1123

Posted
  • Author
Posted

I decided to go back to using only one page (much more safe in my opinion...I just thought that might have been my problem so I was trying different solutions) and ended up getting this error:

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'From: Cali2 dog name: drake like: Correct type. dont like: txt talk favorite' at line 1

^this is from the $msg field.

 

V This is my update.php as a whole page:

<?php
include("db_settings.php");
if(!file_exists("install.php")){

//prossessing
$step = $_POST['step'];
$name = $_POST['name'];
$msg = $_POST['msg'];
$email = $_POST['email'];
$website = $_POST['website'];
$id = $_POST['id'];
$time = time();

	if($step==0 || $step==""){
			echo "Choose your id";

			echo "<form method='POST' action='update.php'>";
			echo "<input type='hidden' value='1' name='step'>";
			echo "ID #:<input type='text' name='id' size=30><br>";
			echo "<input type='submit' value='Update Memo'>";
			echo "</form>";
	}
				if($step==1){
$result = mysql_query("SELECT * FROM remember WHERE `id`=$id");
while($row = mysql_fetch_array($result))
  {
  $name = $row['name'];
  $email = $row['email'];
  $website = $row['website'];
  $msg = $row['msg'];
			//show input
			echo "<b>Remember Information:<br></b>"; 

			//form
			echo "<form method='POST' action='update.php'>";
			echo "<input type='hidden' value='2' name='step'>";
			echo "<input type='hidden' value='$id' name='id'>";
			echo "A Name:<input type='text' name='name' value='$name' size=30><b>*</b><br>";
			echo "An Email:<input type='text' name='email' value='$email' size=30><br>";
			echo "A Website:<input type='text' name='website' value='$website' size=30><br>";
			echo "Memo:<br><textarea cols='30' rows='6' name='msg' wrapping='virtual'>$msg</textarea><b>*</b><br>";
			echo "<input type='submit' value='Update Memo'>";
			echo "</form>";
			echo "* required";
			echo "<br><br><br>Created by <a href='http://smfhost.info'>derrick1123</a>";
		}
	}
			if($step==2){
	//error check time
  $e = 0;
  $s = "";
	//name errors
		if(strlen($name) < 2){
			$e++;
			$s = $s."Name is too short.<br>";
		}	
		if($name == NULL){
			$e++;
			$s = $s."Must enter a name.<br>";
		}
		if(strlen($name) > 50){
			$e++;
			$s = $s."Name is too long.<br>";
		}
	//email errors
		if(strlen($email) > 0){
		    if(strstr($email, "@")==FALSE || strstr($email, ".")==FALSE){
			    $e++;
			    $s = $s."The Email Address does not appear to be <b>valid</b>.<br>";
			}
		}
	//msg errors
		if($msg == NULL){
			$e++;
			$s = $s."You must enter a message.<br>";
		}
		if(strlen($msg) < 5){
			$e++;
			$s = $s."The message you entered was too short.<br>";
		}
		if(strlen($msg) > 255){
			$e++;
			$s = $s."Your message was too long.<br>";
		}
	//website errors
		if(strlen($website) > 1){
			if(strstr($website, ".")==FALSE){
				$e++;
				$s = $s."Your website doesn't seem to be <b>valid</b>.<br>";
			}
			if(strstr($website, "http://")==TRUE){
				$e++;
				$s = $s."Please remove the '<tt>http://</tt>'";
			}
		}
	//edning...
	$s = $s."<br>";
		//if error is bigger than 0 show the list of errors
		if($e>0){
			echo "Not going to work because $e errors were found.<br>";
			echo "Please correct these errors before continuing:<br><br>";
			echo "$s<br>";
			echo "<input type='button' onclick='javascript:history.go(-1);' value='Back'>";
			echo "<br><br><br>Created by <a href='http://smfhost.info'>derrick1123</a>";
		} else {	
				//show the thumbs up
				$q = "UPDATE remember SET msg=$msg, name=$name, email=$email, website=$website, time=$time WHERE id=$id";
				$go = mysql_query($q) or die(mysql_error());

				if(!$go){
				echo "SHIT!!! Something went wrong.";
				echo "<br><br><br>Created by <a href='http://smfhost.info'>derrick1123</a>";
				} else {
				echo "YAY!!! Your message got updated!";
				echo "<br><br><br>Created by <a href='http://smfhost.info'>derrick1123</a>";
				}
		}
	}
} else {

echo "You need to run the '<tt><a href='install.php'>install.php</a></tt>'";
echo "<br>";
echo "If you already ran the install please delete it.";
echo "<br><br><br>Created by <a href='http://smfhost.info'>derrick1123</a>";
}
?>

Orio Member

Orio

Posted
Posted

And single quotes around the variables in your queries.

 

This:

//show the thumbs up
$q = "UPDATE remember SET msg=$msg, name=$name, email=$email, website=$website, time=$time WHERE id=$id";

 

Should be:

//show the thumbs up
$q = "UPDATE remember SET msg='$msg', name='$name', email='$email', website='$website', time='$time' WHERE id=$id";

 

 

Orio.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.