2

What I would like to do is find out who submitted the form by using the logged in session. I want to retrieve the 'user_id' from the table USERS once logged in. Then when they have written a review and submitted the form the user_id is to be to be sent to the films table,

Any help would be greatly appreciated.

-- Table structure for table `films`
--

CREATE TABLE IF NOT EXISTS `films` (
  `movie_id` int(4) NOT NULL AUTO_INCREMENT,
  `movie_title` varchar(100) NOT NULL,
  `actor` varchar(100) NOT NULL,
  `rating` varchar(20) NOT NULL,
  `user_id` int(100) NOT NULL,
  PRIMARY KEY (`movie_id`)
) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=38 ;

--
-- Table structure for table `users`
--

CREATE TABLE IF NOT EXISTS `users` (
  `user_id` int(4) NOT NULL AUTO_INCREMENT,
  `email` varchar(40) NOT NULL,
  `password` varchar(40) NOT NULL,
  `name` varchar(30) NOT NULL,
  PRIMARY KEY (`user_id`)
) ENGINE=InnoDB  DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ;


INSERT INTO `users` (`user_id`, `email`, `password`, `name`) VALUES
(1, 'ben@talktalk.net', 'password', 'Ben');

--
-- Constraints for table `reviewed`
--
ALTER TABLE `reviewed`
  ADD CONSTRAINT `reviewed_ibfk_1` FOREIGN KEY (`movie_id`) REFERENCES `films` (`movie_id`),
  ADD CONSTRAINT `reviewed_ibfk_2` FOREIGN KEY (`movie_id`) REFERENCES `films` (`movie_id`) ON DELETE CASCADE;

Here is the login form where the session is created I'm assuming that I am not creating it properly.

<?php
  include('./includes/header.php');

  if (isset($_POST['submit'])) {
      $error = array(); // Initialize error array.

      // Check for a email.
      if (empty($_POST['email'])) {
          $error[] = "Please neter a email";
      } else {
          $email = $_POST['email'];
      }

      // Check for a password.
      if (empty($_POST['password'])) {
          $error[] = "Please enter a password";
      } else {
          $password = $_POST['password'];
      }

      if (empty($error)) { // No errors found
          require_once('./includes/mysql_connect.php');
          $match = "SELECT * FROM users WHERE email='$email' AND password='$password'";
          $qry = mysql_query($match);
          $num_rows = mysql_num_rows($qry);

          if ($num_rows == true) {
              $_SESSION['user_id']=$_POST['email'];
               header("location:index.php");
          } else {
               echo "No user name or id ";
          }
      } else {
          foreach ($error as $msg) {
              echo $msg;
          }
      }
  }
?>

<html>
<form method="post" action="login.php">
    <fieldset><legend>Login</legend>
      <label for="email">Email</label>
      <input type="text" name="email" id="email" />
      <br/>
      <label for="password">Password</label>
      <input type="password" name="password" id="password" />
      <br/>
    <input type="submit" name="submit" value="login" />
    </fieldset>
</form>
</html>


<?php
  include('./includes/footer.php');
?>

And the review form where I would like to send the session user_id to MySql database

<?php
  include('./includes/header.php');
  echo "<h1>Add A film</h1>";
      if(isset($_POST['submitted'])){
      $errors = array(); // Initialize error array.
      $user = $_SESSION['user_id'];

      // Check for title.
      if (empty($_POST['movie_title'])){
          $errors[] = "You forgot to enter a title.";
      } else {
          $mt = (trim($_POST['movie_title']));
      }
      // Check for leading actor
      if (empty($_POST['leading_actor'])){
          $errors[] = "You forgot to enter a actor";
      } else {
          $la = (trim($_POST['leading_actor']));
      }
      // Check for a rating
      if (empty($_POST['rating'])){
          $errors[] = "Please select a rating.";
      } else {
          $rating = ($_POST['rating']);
      }
      // Check for a review
      if (empty($_POST['review'])){
          $errors[] = "Please write a review";
      } else {
          $review = (trim($_POST['review']));
      }
      if (empty($errors)) { // If no errors were found.
          require_once('./includes/mysql_connect.php');

          // Make the insert query.
          $query = "INSERT INTO films (movie_title, actor, rating, user_id)
          Values ('$mt', '$la', '$rating', '$user')";
          $result = mysql_query($query);
          $id = mysql_insert_id();
          $query = "INSERT INTO reviewed (review, movie_id)
          values ('$review', '$id')";
          $result = mysql_query($query);

          //Report errors.
      } else {
          foreach ($errors as $msg){
              echo " - $msg <br/> ";
          }
      }
  };
?>

<html>
<form action="review_a_film.php" method="post" id="review_a_film">
    <fieldset>
        <label for="title">Movie Title</label>
        <input type="text" name="movie_title" id="movie_title" />
        <br/>
        <br/>
        <label for="actor">Leading Actor</label>
        <input type="text" name="leading_actor" id="leading_name" />
        <br/>
        <br/>
        <label for="rating">Rating</label>
        <select id="rating" name="rating"/>
            <option selected="selected" value=0 disabled="disabled">Select a Rating</option>
            <option value="Terrible">Terrible</option>
            <option value="Fair">Fair</option>
            <option value="Ok">Ok</option>
            <option value="Good">Good</option>
            <option value="Excellent">Excellent</option>
        </select>
        <br/>
        <br/>
        <label for="review">Your Review</label>
        <br/>
        <textarea name="review" id="review" rows="15" cols="60"></textarea>
        <br/>
        <br/>
        <input type="submit" name="submit" id="submit" value="submit" />
        <input type="hidden" name="submitted" value="TRUE" />
    </fieldset>
</form>
</html>

<?php
  include('./includes/footer.php');
?>
Adi Inbar
  • 12,097
  • 13
  • 56
  • 69
user1829823
  • 375
  • 2
  • 4
  • 14
  • 1
    You are checking for email/password credentials. If the credentials match, you already have your user. Now get the `user_id` and save it to `$_SESSION['user_id']`. When user is submitting a film review, retrieve the user_id from `$_SESSION['user_id']` and pass that to the SQL INSERT statement. – WebNovice Oct 08 '13 at 20:39
  • 1
    [**Are you *really* storing passwords in plain text?**](http://plaintextoffenders.com/) You should probably not be doing this user system. At least not now. Spend a **good** amount of time learning about security and then try it, as you are putting in danger your user's security, not only your web's one. If you want to learn more: [you must hash them](http://stackoverflow.com/q/401656/938236) with a secure hashing algorithm](http://stackoverflow.com/q/4795385/938236). Furthermore, there's some **clear SQL injection vulnerabilities**. – Francisco Presencia Oct 08 '13 at 21:23

1 Answers1

2

To answer your question: Store their user_id in the variable $_SESSION['user_id'], and then clear $_SESSION['user_id'] when they logout.

However there are other problems you need to fix.

You can't store passwords in plain text. This is not good practice. If you are hacked(which seems likely due to your SQL vulnerabilities, get to that in a second) and are storing passwords in plain text, people are going to be angry at you. You need to research password hashing. Here's a couple links to get you started: Encryption using mcrypt, PHP, and MySQL How can I store my users' passwords safely?

You are also vulnerable to SQL injection. You must use paramaterized queries or users can inject sql into your code.

Paramaterized queries in php look like this:

$var = $unsafevar;
$stmt = mysqli_prepare($connection, "SELECT * FROM users WHERE username = ?");
mysqli_stmt_bind_param($stmt, 's', $var);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
$row = mysqli_fetch_assoc($result);

The ?'s represent variables, which are binded and inserted by bind_param.

Check out owasp's sql injection page and their top ten:

Owasp SQL injection

Owasp top ten

You MUST learn these things before you can even consider posting a site with a user database online.

Community
  • 1
  • 1
James G.
  • 2,852
  • 3
  • 28
  • 52