2
<?php 
include 'core/init.php';
admin_protect();
include 'includes/overall/header.php'; 
?>
 <center><h1>Welcome to Admin Page Modify User</h1></center>




<?php
if (isset($_GET['success']) === true && empty($_GET['success']) === true) {
echo 'Your Details have been updated! <br> <br>';
echo "<a href=admin.php>Back to Admin Page</a>";
} else {

if (empty($_POST) === false && empty($errors) === true) {


    $update_data = array(
        'first_name'    => $_POST['first_name'],
        'last_name'     => $_POST['last_name'],
        'gender'        => $_POST['gender'],
        'email'         => $_POST['email'],
        'dob_day'       => $_POST['dob_day'],
        'dob_month'     => $_POST['dob_month'],
        'dob_year'      => $_POST['dob_year'],
        'allow_email'   => $allow_email = ($_POST['allow_email'] == 'on') ? 1 : 0
    );

    update_user($session_user_id, $update_data);
    header('Location: admin_modify.php?success');
    exit();

} else if (empty($errors) === false) {
    echo output_errors($errors);
}
?>

<form action="" method="post">
    <ul>
        <li>
            First Name* : <br> <input type="text" name="first_name" value="<?php echo $user_data['first_name'];?>">
        </li>
        <li>
            Last Name : <br> <input type="text" name="last_name" value="<?php echo $user_data['last_name'];?>">
        </li>
            Gender*:<br>
                <select name="gender" >
                        <option><?php echo $user_data['gender']; ?></option>
                        <option>Male</option>
                        <option>Female</option>
                </select>
        <li>
            Email* : <br> <input type="text" name="email" value="<?php echo $user_data['email'];?>">
        </li>
        <li>
                Date of Birth*:<br>
                    <select name="dob_day">
                        <option><?php echo $user_data['dob_day'];?></option>
                            <?php
                                loop_date();
                            ?>
                    </select>
                    <select name="dob_month">
                        <option><?php echo $user_data['dob_month'];?></option>
                            <?php
                                loop_month();
                            ?>
                    </select>
                    <select name="dob_year">
                        <option><?php echo $user_data['dob_year'];?></option>
                            <?php
                               loop_year();
                            ?>
                    </select>
            </li>
        <li>
            <input type="checkbox" name="allow_email" <?php if ($user_data['allow_email'] == 1) {echo 'checked="checked"';}?> >Would you like to receive email from us?
        </li>
        <li>
            <input type="submit" value="Update">
        </li>
    </ul>
</form>



<?php
}

include 'includes/overall/footer.php' 
?>

<?php include 'includes/overall/footer.php' ?>

I am encountering problems when I want to modify or delete a user using the admin account. The problem is that the current session of the admin account is being recognized when you what to modify or delete it. How can I solve this problem? Thank you for all your help. :)

James Waddington
  • 2,894
  • 2
  • 15
  • 24
ggtaetiseo
  • 215
  • 1
  • 2
  • 8
  • Take hidden field for user id and use it not the session when you want to modify/delete the user from admin account. – Needhi Agrawal Jan 29 '15 at 11:17
  • Why don't you newbies follow PHP security practices ? I CAN see how vulnerable your code is to SQL Injection , i can delete Whole table , drop database completely.Please dont ruin PHP by using bad code. – Pratik Joshi Jan 29 '15 at 11:28

2 Answers2

0

The best way to acheive what you want to do is to use a hidden input field. For example, if the user wants to modify the data of the user 48, make him go the page with a GET argument (modify_user.php?userId=48). In the page, insert a hidden input field like that:

<input type="hidden" name="userId" value="<?php echo $_GET["userId"] ?>" />

This input is hidden, and the sole purpose of it is to transmit data to the process code.

When the form is submitted, you can access the data as usual ($_POST["userId"]).

Longwelwind
  • 33
  • 1
  • 5
-1

Take input hidden field for user id and use it not the session when you want to modify/delete the user from admin account.

On the form:

<input type="hidden" name="user_id" value="<?php if(isset($user_data['id'])){ echo $user_data['id'];} ?>">

On backend php page:

if(isset($_REQUEST['user_id'])){
  // modify/delete user
$user_id =  $_REQUEST['user_id'];

}
Needhi Agrawal
  • 1,326
  • 8
  • 14
  • The `$_REQUEST` is vulnerable to attack , you should always use $_POST only for sensitive data , so that attack wont occur .What if i use URL to hit instead of POSTing form ? Its game over. – Pratik Joshi Jan 29 '15 at 11:31
  • I have firstly told you answer as a comment see above then I elaborated it to answe not TT_TT. – Needhi Agrawal Jan 29 '15 at 11:42
  • What is TT ? `TT_TT.` ? – Pratik Joshi Jan 29 '15 at 11:50
  • @jQuery.PHP.Magento.com you are right when using get it is vulnerable to sql injection can you help me using post method? – ggtaetiseo Jan 29 '15 at 11:56
  • @ggtaetiseo , read & use PDO (http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1), And never treat $_POST as it is without sanitization to SQL query. – Pratik Joshi Jan 29 '15 at 12:01
  • @jQuery.PHP.Magento.com You think that making attacks on POST wont occur? It's slightly more complicated than GET, but that's all. – Zaffy Jan 29 '15 at 12:23
  • @Zaffy , but we should take care from our end as much as possible. – Pratik Joshi Jan 29 '15 at 12:58