#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    2
    Rep Power
    0

    Posted by username??


    Hi basically im trying to display information that a user has submitted on a page from a form. However, on submitting the form the information shows up.
    My problem I have is I can't figure out the code to show the user that posted it. Username is the field in the table.

    PHP Code:
    $sql "INSERT INTO $db_table(title,name,name2,description,contact,contact2,url,y)
    values ('"
    .mysql_real_escape_string(stripslashes($_REQUEST['title']))."','"
    .mysql_real_escape_string(stripslashes($_REQUEST['name']))."','"
    .mysql_real_escape_string(stripslashes($_REQUEST['name2']))."','"
    .mysql_real_escape_string(stripslashes($_REQUEST['description']))."','"
    .mysql_real_escape_string(stripslashes($_REQUEST['contact']))."','"
    .mysql_real_escape_string(stripslashes($_REQUEST['contact2']))."','"
    .mysql_real_escape_string(stripslashes($_REQUEST['url']))."','"
    .mysql_real_escape_string(stripslashes($_REQUEST['y']))."')"
    Basically this picks up the information from the form and it is displayed on a seperate page. Can anybody help me in a way that I can also integrate the username that posted it. I have been using $_SESSIONs for most of the login part of the system.

    Thanks.
    Last edited by requinix; April 24th, 2013 at 10:14 PM. Reason: wordwrap plz kthxbye
  2. #2
  3. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,690
    Rep Power
    6351
    This code is making use of several bad practices, things which are officially not recommended in PHP for any reason.

    That being said, the answer to your actual question is:
    Add a column for userID to the table
    Add the userID to this input (from the session)
    Select out the userID when you display this data on the page
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Posts
    2
    Rep Power
    0
    Originally Posted by ManiacDan
    This code is making use of several bad practices, things which are officially not recommended in PHP for any reason.

    That being said, the answer to your actual question is:
    Add a column for userID to the table
    Add the userID to this input (from the session)
    Select out the userID when you display this data on the page
    Ok i already have a userid in the table
    what is the code to add userID to the input from the session? - Im new to this.

    Also could you tell me how I could improve my code and why?
  6. #4
  7. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,690
    Rep Power
    6351
    Your query contains a comma-separated list of database columns. Following that is a comma-separate list of inputs. Add a new column for userId. Add a new input for the same.

    And pretty much every line of this code is incorrect. You should look into PDO for database queries. Also, your use of stripslashes means your server is either badly out of date or misconfigured.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  8. #5
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,911
    Rep Power
    1045
    Originally Posted by grillzeE
    Also could you tell me how I could improve my code and why?
    The features you're using are ancient. This code may have been OK in the year 2000 or so, but it's 2013 now. PHP has changed.

    "magic quotes" (the ones you're fighting with stripslashes()) and the old MySQL extension are obsolete since at least 10 years. Actually, "magic quotes" were always bad.

    It's great that you at least escape your data, but this doesn't change the fact that the MySQL extension has been superseded by MySQLi and PDO almost a decade ago. Nowadays, it's merely used in legacy code and crappy tutorials -- and by the people reading those tutorials.

    $_REQUEST is bad, because it's error-prone, confusing and unsecure. It means that you can insert data via a GET request -- or even worse: have somebody else click on this link (or load a picture with this source) and insert data in their name.

    Last but not least, your variable and column names are not very useful. What's a "db_table"? What's "y"? What exactly does "sql" do? Use descriptive names that actually tell you and possible readers the exact content of the variables.

IMN logo majestic logo threadwatch logo seochat tools logo