0

I have built a WYSIWYG editor tool which allows me to create documents and push them to the front end of my website which works great, however, when I am logged in I require it to take the user_id from my logged in user and associate it with the doc they create.

I am using sessions:

<?
session_start();
session_regenerate_id();
if(!isset($_SESSION['user'])){
       header("Location: index.php");
    exit;
}
else{

 include ('../../db_con.php');

 $sql=$dbh->prepare("SELECT * FROM user_login WHERE id=?");

}
?>

I have a form which allows me to create the doc and updated the databse as it should do but the one last column I need is for the form to post in the ID of the person who is currently logged in. Here is the form and the script that inserts it.

<?php include 'header.php'; ?>

<form action="actions/newDocAdd.php" method="post" id="rtf" name="">
    <input type="text" name="doc_title" id="doc_title" required="required" placeholder="Document Title"/><br />

    <button class="postEditBtn" type="button" onclick="ibold()" title="Bold Text"><i class="fa fa-bold"></i></button>
    <button class="postEditBtn" type="button" onclick="iitalic()" title="Italic Text"><i class="fa fa-italic"></i></button>
    <button class="postEditBtn" type="button" onclick="iunderline()" title="Underline Text"><i class="fa fa-underline"></i></button>
    <button class="postEditBtn" type="button" onclick="ifontName()" title="Font Family"><i class="fa fa-font"></i></button>
    <button class="postEditBtn" type="button" onclick="ifontsize()" title="Font Size"><i class="fa fa-text-height"></i></button>
    <button class="postEditBtn" type="button" onclick="ifontcolor()" title="Font Colour"><i class="fa fa-eraser"></i></button>
    <button class="postEditBtn" type="button" onclick="ihiliteColor()" title="Highlight Text"><i class="fa fa-magic"></i></button>
    <button class="postEditBtn" type="button" onclick="ilink()" title="Add/Edit Link"><i class="fa fa-link"></i></button>
    <button class="postEditBtn" type="button" onclick="iunlink()" title="Remove Link"><i class="fa fa-chain-broken"></i></button>
    <button class="postEditBtn" type="button" onclick="ijustifyLeft()" title="Text align-left"><i class="fa fa-align-left"></i></button>
    <button class="postEditBtn" type="button" onclick="ijustifyCenter()" title="Text align-center"><i class="fa fa-align-center"></i></button>
    <button class="postEditBtn" type="button" onclick="ijustifyRight()" title="Text align-right"><i class="fa fa-align-right"></i></button>
    <button class="postEditBtn" type="button" onClick="iUnorderedList()" title="Unordered List"><i class="fa fa-list-ul"></i></button>
    <button class="postEditBtn" type="button" onClick="iOrderedList()" title="Ordered List"><i class="fa fa-list-ol"></i></button>
    <button class="postEditBtnUndo" type="button" onClick="iUndo()" title="Undo last change"><i class="fa fa-rotate-left"></i></button>
    <button class="postEditBtnRedo" type="button" onClick="iRedo()" title="Redo last change"><i class="fa fa-rotate-right"></i></button>


    <br><br>

    <textarea name="doc_content" id="doc_content" placeholder="Document Content" style="display: none;"></textarea>
    <iframe name="editor" id="editor" style="width:100%; height: 600px;"></iframe>

    <br><br> 
    <input onclick="formsubmit()" type="submit" value="Create Document" name="submit"/>


</form>

And here is where the action takes place, as you can see it includes the session on the SQL insert but it just places a 0 value in the user_id column and does not take the users_id from the $_SESSION

<?php

include_once '../../session.php';

if(isset($_POST["submit"])){
$hostname='#####';
$username='#####';
$password='#####';

try {

$dbh = new PDO("mysql:host=$hostname;dbname=#####",$username,$password);

$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); // <== add this line

$sql = "INSERT INTO doc_list (doc_title, doc_content, doc_created, user_id) VALUES ('".$_POST["doc_title"]."','".$_POST["doc_content"]."', NOW(), '".$_SESSION['user']."' )";


if ($dbh->query($sql)) {
    header ('Location: ../docList.php');
}
else{
}

$dbh = null;
}
catch(PDOException $e)
{
echo $e->getMessage();
}

}
?>
PhpDude
  • 1,542
  • 2
  • 18
  • 33
  • Use `bindParam` instead of substituting variables into SQL strings. – Barmar May 11 '15 at 20:19
  • What do you see if you `echo $sql`? – Barmar May 11 '15 at 20:20
  • @Barmar do you have an example of how to adjust the above? – PhpDude May 11 '15 at 20:20
  • http://stackoverflow.com/questions/1946467/how-to-use-prepared-statements-in-this-query – Barmar May 11 '15 at 20:21
  • @Barmar this is what I see : INSERT INTO doc_list (doc_title, doc_content, doc_created, user_id) VALUES ('test','test', NOW(), '' ) – PhpDude May 11 '15 at 20:21
  • So the session variable isn't actually set or it's set to an empty string. Maybe there's a problem with the code that sets it. – Barmar May 11 '15 at 20:23
  • It is so strange, if I var_dump($_SESSION); on the form is prints out the user_id Array ( [user] => 8 ) but if I include the file on the page that actions the form by uncluding the header file ../header.php it blanks the page and fails – PhpDude May 11 '15 at 20:26
  • 1
    Make sure you never do anything that produces output before calling `session_start()`. Check your PHP error log for a warning about "headers already sent". – Barmar May 11 '15 at 20:28
  • Right, so I am now getting the Id into the DB but with reporting on I am getting some issues with it redirecting it states the headers have already been set - I presume because I am now adding the session at the top and trying to header redirect it is failing. – PhpDude May 11 '15 at 20:36
  • Warning: Cannot modify header information - headers already sent by (output started at /Applications/MAMP/htdocs/dashboardr v3.1.5/admin/actions/newDocAdd.php:15) in /Applications/MAMP/htdocs/dashboardr v3.1.5/admin/actions/newDocAdd.php on line 34 – PhpDude May 11 '15 at 20:37
  • 1
    You can't produce any output before calling `header()` or `session_start()`. Move all the output-producing statements after them, or use the `ob_XXX` functions to buffer your output. – Barmar May 11 '15 at 20:37
  • I tried moving them all after the output but still getting the error? – PhpDude May 11 '15 at 20:38
  • 1
    Obviously you didn't move them properly, or you wouldn't still be getting the error. – Barmar May 11 '15 at 20:39
  • 1
    You have to move them to BEFORE the output. – Barmar May 11 '15 at 20:40
  • Can you show me from my code what you mean? – PhpDude May 11 '15 at 20:42
  • 1
    Which line is line 15? – Barmar May 11 '15 at 20:42
  • so it was because I had whitespace between a line...god damn – PhpDude May 11 '15 at 20:45
  • 1
    Yeah, that will do it. Blank lines are still output as far as PHP is concerned. – Barmar May 11 '15 at 20:46
  • Damn so rookie, just been staring at this for too long! Seriously, thank you for helping me I appreciate it. – PhpDude May 11 '15 at 20:48

0 Answers0