tags:

views:

32

answers:

2
+1  Q: 

MySQL/PHP: How to insert logged in user id into another table that is gathering data from a form that the user is inputting.

For the first time I am needing to join information from two tables and am quite nervous about doing it without any advice first.

Basically, I am building a secure site that is accessed by authorised users. I have my login table with user_id, username, password

Once the user is on the site, they have the option of inputting data into another table called input. At the moment this table only captures the information that is entered, not the user_id or username of the inputter.

I would like the form to be able to input the user_id and/or username from the login table into the input table.

Please could somebody talk me through this process?

I am sure that once this is amended, I will then be able to use the table to only allow the logged in user to access the information that he or she have inputted, is that correct?

Many thanks

+1  A: 

First of all, don't put the user_id or username into the form. Anyone can change a form (yes, even hidden fields) so they could change the username or userID. Use a SESSION variable to store the username and/or userID.

How did you design your tables? With two tables you can do the trick:

logins ( USERID , USERNAME, PASSWORD ) inputs ( USERID, COMMENTS)

On the page processing the login form, after the login is succesful, you put the UserID in the SESSION. Then on your page processing the input form, you just do an INSERT in your inputs with the UserID from the SESSION.

Then later on the page showing the inputs, you can SELECT l.USERNAME, i.COMMENTS WHERE l.USERID = i.USERID etc etc

Konerak  2010-05-10 13:16:59
Thank you Konerak,I'm feeling pretty thick today. How can I do an INSERT into my form from the session. I have tried adding it as a field in my table: <td>Bodyshop Name:</td> <td><input name="bodyshop_name" value="<?php echo $_SESSION['MM_Username']?>" readonly="readonly" /></td> </tr> <tr> <td>Owners Name:</td> <td><input type="text" name="Owners_Name" /></td>But I'm either using the wrong input element or have completely missed your point, sorry for being so dumb.
Lisa  2010-05-10 14:25:31
Oh no, don't output the ID to the form - this will allow a user to modify the value, leading to potential security holes. Just use the value on the php-script parsing the form. Instead of just treating the $_POST, use the $_SESSION for the username.
Konerak  2010-05-10 16:38:24
+1  A: 

As Konerak says, you cannot relay on user-submitted data. You've previously authenticated this user there you did at that time know the username and the fact that it was valid - in most applications a good developer would store these facts - because you'll need them to perform any subsequent authorization.

So you just do something like:

 INSERT INTO input (comment, date, user)
 VALUES ('" . mysql_real_escape_string($_POST['comment'] . "',
 NOW(), '" . mysql_real_escape_string($_SESSION['authenticated_user']) . "');

(NB if you are using mod_auth_mysql or similar, where the authentication is hadneld by the webserver, then the authenticated username is contained in $_SERVER['PHP_AUTH_USER']).

C.

symcbean  2010-05-10 15:35:36

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL