#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2014
    Posts
    34
    Rep Power
    4

    Passing Variable between pages


    Hi All,

    I'm struggling to pass a variable between pages... the variable in question is the $id variable which is collected on page 1's POST...

    Page 1:

    PHP Code:
    <?php
    $id 
    = (int)$_POST["id"];
    /* 
     * To change this license header, choose License Headers in Project Properties.
     * To change this template file, choose Tools | Templates
     * and open the template in the editor.
     */
    require_once('db_init.php');

                        
    $conn mysqli_connect($DBHOST$DBUSER$DBPASS$DBNAME) or die('Could not connect to database server.');

    if (
    mysqli_connect_errno())
    {
    echo 
    "Failed to connect to MySQL: " mysqli_connect_error();
    }

    $strsql "SELECT cc.Client_Category_ID, lc.Category_ID , lc.Category FROM tblClient AS c INNER JOIN tblClient_Category AS cc ON cc.Client_ID = c.Client_ID INNER JOIN tblLookUp_Category AS lc ON lc.Category_ID = cc.Category_ID WHERE c.Client_ID = $id GROUP BY Category ASC";
    $result mysqli_query($conn,$strsql);


    echo 
    "<table border='1'>
    <tr>
    <th>Category</th>
    <th>Delete</th>
    </tr>"
    ;

    while(
    $row mysqli_fetch_array($result))
    {
    echo 
    "<tr>";

    echo 
    "<td>" $row['Category'] . "</td>";
    echo 
    "<td><a href=\"deletecategory.php?id=".$row['Client_Category_ID']."\" style=\"text-decoration: none\">Delete</a></td>";

    echo 
    "</tr>";
    }
    echo 
    "</table>";

    mysqli_close($conn);
            
            echo 
    "<br>
            Add to New Category
            <br>"
    ;
            
            
            echo 
    "<form action=\"insertcategory.php\" method=\"post\" enctype=\"multipart/form-data\">";
            echo 
    "<input type=\"hidden\" name=\"clientid\" value=\"<?=$id?>\">";
            require_once(
    'db_init.php');

            
    $conn2 mysqli_connect($DBHOST$DBUSER$DBPASS$DBNAME) or die('Could not connect to database server.');
            
            if (
    mysqli_connect_errno())
            {
            echo 
    "Failed to connect to MySQL: " mysqli_connect_error();
            }

            
            
    $strsql2 "SELECT * FROM tblLookUp_Category";
            
    $result2 mysqli_query($conn2,$strsql2);
            
            
            echo 
    "<table border='1'>
            <tr>
            <th>Category</th>
            <th>Add</th>
            </tr>
            <tr>
            <td>"
    ;
            while(
    $row mysqli_fetch_array($result2))
            {
                        echo 
    "<select name='Category_ID'>";
                        while (
    $row mysqli_fetch_array($result2)) {
                        echo 
    "<option value='" $row['Category_ID'] . "'>" $row['Category'] . "</option>";
                        }
                        echo 
    "</select>";
            }
            echo 
    "</td>                   
             <td>
             <input type=\"submit\" value=\"Submit\">
             </td>
             </tr>
             </table>"
    ;
            
    mysqli_close($conn2);
            echo 
    "</form>";
            
    ?>
    Page 2:

    PHP Code:
        <?php
        $clientid 
    = (int)$_POST["clientid"];
        
    $categoryid = (int)$_POST["Category_ID"];
        echo 
    $clientid;
        echo 
    "<br>";
        echo 
    $categoryid;
        echo 
    "<br>";

    require_once(
    'db_init.php');

                        
    $conn mysqli_connect($DBHOST$DBUSER$DBPASS$DBNAME) or die('Could not connect to database server.');

    if (
    mysqli_connect_errno())
    {
    echo 
    "Failed to connect to MySQL: " mysqli_connect_error();
    }
     

    $sql "INSERT INTO tbl_Client_Category (Client_ID, Category_ID) VALUES ('$clientid','$categoryid')";
    if(
    mysqli_query($conn$sql)){
        echo 
    "<br>";
        echo 
    "Records added successfully.";
        echo 
    "<br>";
    } else{
        echo 
    "<br>";
        echo 
    "ERROR: Could not able to execute $sql. " mysqli_error($link);
        echo 
    "<br>";
    }
     
    // close connection
    mysqli_close($conn);
    ?>
    What happens if I click on the button in the button of the form on page 1, I get:

    0
    5

    ERROR: Could not able to execute INSERT INTO tbl_Client_Category (Client_ID, Category_ID) VALUES ('0','5').
    But I don't know why I'm getting a 0 value passed for the client ID - It's working to render the first table in the first page annoyingly....

    Any help much appreciated.

    Many Thanks,
    Graham
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jul 2003
    Posts
    4,350
    Rep Power
    630
    Passing variables between pages is non-trivial since you do not know which user is requesting the 2nd page. You need to use sessions.
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
  4. #3
  5. Lazy Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    16,436
    Rep Power
    9645
    Code:
    echo "<input type=\"hidden\" name=\"clientid\" value=\"<?=$id?>\">";
    That won't work. Think about it.
  6. #4
  7. Banned (not really)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 1999
    Location
    Caro, Michigan
    Posts
    14,814
    Rep Power
    4536
    This is a bad idea, even if you fix it. What's to stop me from changing the clientid and submitting categories for another client? Or calling deletecategory.php and deleting whatever I want, as I assume there's no clientid check there, either, since it's not passed.
    -- Cigars, whiskey and wild, wild women. --
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2017
    Posts
    7
    Rep Power
    0
    PHP Code:
    echo "<input type=\"hidden\" name=\"clientid\" value=\"".$id."\">"
    ?
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Specialist (4000 - 4499 posts)

    Join Date
    Jul 2003
    Posts
    4,350
    Rep Power
    630
    That can be easily defeated/spoofed.
    There are 10 kinds of people in the world. Those that understand binary and those that don't.
  12. #7
  13. Plays with fire
    Devshed Beginner (1000 - 1499 posts)

    Join Date
    Aug 2003
    Location
    Barsoom
    Posts
    1,146
    Rep Power
    144
    Your question requires a much larger answer than you probably anticipated.

    This is all about security and preventing people from intercepting your data and changing it on the fly.

    If you can, keep your form on a single page and make sure you check the values on the server before you do anything with them. Casting variables is important.
    “Be ashamed to die until you have won some victory for humanity.” -- Horace Mann

    "...all men are created equal." -- US Declaration of Independence

IMN logo majestic logo threadwatch logo seochat tools logo