2

What I would like to do is find out who submitted the form by using the logged in session. I want to retrieve the 'user_id' from the table USERS once logged in. Then when they have written a review and submitted the form the user_id is to be to be sent to the films table,

Any help would be greatly appreciated.

-- Table structure for table `films` -- CREATE TABLE IF NOT EXISTS `films` ( `movie_id` int(4) NOT NULL AUTO_INCREMENT, `movie_title` varchar(100) NOT NULL, `actor` varchar(100) NOT NULL, `rating` varchar(20) NOT NULL, `user_id` int(100) NOT NULL, PRIMARY KEY (`movie_id`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=38 ; -- -- Table structure for table `users` -- CREATE TABLE IF NOT EXISTS `users` ( `user_id` int(4) NOT NULL AUTO_INCREMENT, `email` varchar(40) NOT NULL, `password` varchar(40) NOT NULL, `name` varchar(30) NOT NULL, PRIMARY KEY (`user_id`) ) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ; INSERT INTO `users` (`user_id`, `email`, `password`, `name`) VALUES (1, '[email protected]', 'password', 'Ben'); -- -- Constraints for table `reviewed` -- ALTER TABLE `reviewed` ADD CONSTRAINT `reviewed_ibfk_1` FOREIGN KEY (`movie_id`) REFERENCES `films` (`movie_id`), ADD CONSTRAINT `reviewed_ibfk_2` FOREIGN KEY (`movie_id`) REFERENCES `films` (`movie_id`) ON DELETE CASCADE;

Here is the login form where the session is created I'm assuming that I am not creating it properly.

<?php include('./includes/header.php'); if (isset($_POST['submit'])) { $error = array(); // Initialize error array. // Check for a email. if (empty($_POST['email'])) { $error[] = "Please neter a email"; } else { $email = $_POST['email']; } // Check for a password. if (empty($_POST['password'])) { $error[] = "Please enter a password"; } else { $password = $_POST['password']; } if (empty($error)) { // No errors found require_once('./includes/mysql_connect.php'); $match = "SELECT * FROM users WHERE email='$email' AND password='$password'"; $qry = mysql_query($match); $num_rows = mysql_num_rows($qry); if ($num_rows == true) { $_SESSION['user_id']=$_POST['email']; header("location:index.php"); } else { echo "No user name or id "; } } else { foreach ($error as $msg) { echo $msg; } } } ?> <html> <form method="post" action="login.php"> <fieldset><legend>Login</legend> <label for="email">Email</label> <input type="text" name="email" id="email" /> <br/> <label for="password">Password</label> <input type="password" name="password" id="password" /> <br/> <input type="submit" name="submit" value="login" /> </fieldset> </form> </html> <?php include('./includes/footer.php'); ?>

And the review form where I would like to send the session user_id to MySql database

<?php include('./includes/header.php'); echo "<h1>Add A film</h1>"; if(isset($_POST['submitted'])){ $errors = array(); // Initialize error array. $user = $_SESSION['user_id']; // Check for title. if (empty($_POST['movie_title'])){ $errors[] = "You forgot to enter a title."; } else { $mt = (trim($_POST['movie_title'])); } // Check for leading actor if (empty($_POST['leading_actor'])){ $errors[] = "You forgot to enter a actor"; } else { $la = (trim($_POST['leading_actor'])); } // Check for a rating if (empty($_POST['rating'])){ $errors[] = "Please select a rating."; } else { $rating = ($_POST['rating']); } // Check for a review if (empty($_POST['review'])){ $errors[] = "Please write a review"; } else { $review = (trim($_POST['review'])); } if (empty($errors)) { // If no errors were found. require_once('./includes/mysql_connect.php'); // Make the insert query. $query = "INSERT INTO films (movie_title, actor, rating, user_id) Values ('$mt', '$la', '$rating', '$user')"; $result = mysql_query($query); $id = mysql_insert_id(); $query = "INSERT INTO reviewed (review, movie_id) values ('$review', '$id')"; $result = mysql_query($query); //Report errors. } else { foreach ($errors as $msg){ echo " - $msg <br/> "; } } }; ?> <html> <form action="review_a_film.php" method="post" id="review_a_film"> <fieldset> <label for="title">Movie Title</label> <input type="text" name="movie_title" id="movie_title" /> <br/> <br/> <label for="actor">Leading Actor</label> <input type="text" name="leading_actor" id="leading_name" /> <br/> <br/> <label for="rating">Rating</label> <select id="rating" name="rating"/> <option selected="selected" value=0 disabled="disabled">Select a Rating</option> <option value="Terrible">Terrible</option> <option value="Fair">Fair</option> <option value="Ok">Ok</option> <option value="Good">Good</option> <option value="Excellent">Excellent</option> </select> <br/> <br/> <label for="review">Your Review</label> <br/> <textarea name="review" id="review" rows="15" cols="60"></textarea> <br/> <br/> <input type="submit" name="submit" id="submit" value="submit" /> <input type="hidden" name="submitted" value="TRUE" /> </fieldset> </form> </html> <?php include('./includes/footer.php'); ?>
Improve this question
2
  • 1
    You are checking for email/password credentials. If the credentials match, you already have your user. Now get the user_id and save it to $_SESSION['user_id']. When user is submitting a film review, retrieve the user_id from $_SESSION['user_id'] and pass that to the SQL INSERT statement. Commented Oct 8, 2013 at 20:39
  • 1
    Are you really storing passwords in plain text? You should probably not be doing this user system. At least not now. Spend a good amount of time learning about security and then try it, as you are putting in danger your user's security, not only your web's one. If you want to learn more: you must hash them with a secure hashing algorithm](stackoverflow.com/q/4795385/938236). Furthermore, there's some clear SQL injection vulnerabilities. Commented Oct 8, 2013 at 21:23

1 Answer 1

Reset to default
2

To answer your question: Store their user_id in the variable $_SESSION['user_id'], and then clear $_SESSION['user_id'] when they logout.

However there are other problems you need to fix.

You can't store passwords in plain text. This is not good practice. If you are hacked(which seems likely due to your SQL vulnerabilities, get to that in a second) and are storing passwords in plain text, people are going to be angry at you. You need to research password hashing. Here's a couple links to get you started: Encryption using mcrypt, PHP, and MySQL How can I store my users' passwords safely?

You are also vulnerable to SQL injection. You must use paramaterized queries or users can inject sql into your code.

Paramaterized queries in php look like this:

$var = $unsafevar; $stmt = mysqli_prepare($connection, "SELECT * FROM users WHERE username = ?"); mysqli_stmt_bind_param($stmt, 's', $var); mysqli_stmt_execute($stmt); $result = mysqli_stmt_get_result($stmt); $row = mysqli_fetch_assoc($result);

The ?'s represent variables, which are binded and inserted by bind_param.

Check out owasp's sql injection page and their top ten:

Owasp SQL injection

Owasp top ten

You MUST learn these things before you can even consider posting a site with a user database online.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.