1

I have an online courses CRUD application. It has, among other pages, an instructor BIO page.

First, the instructors are added, in an users table, with basic data: first_name, last_name, and email; then a BIO can be added, optionally, for any instructor. There is a second database table, called "bios", to serve this purpose.

I need to pass $user_id into the courses table, (as foreign KEY) an for that purpose i use $_GET:

<?php 
    $user_id = $_GET['id'];
    if(isset($_POST['submit-btn'])) {
        $no_courses = $_POST['no_courses'];
        $years_exp = $_POST['years_exp'];
        $fav_lang = $_POST['fav_lang'];
        $courses = $_POST['courses'];

        $sql = "INSERT INTO courses (user_id, no_courses, years_exp, fav_lang, courses) VALUES ('$user_id', '$no_courses', '$years_exp', '$fav_lang', '$courses')";

        if (mysqli_query($con, $sql)) {
            echo("<p>Instructor bio was added.</p>");
        } else {
            echo "Error: " . mysqli_error($con);
        }
    }
?>

<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>" id="add_bio">
        ...
</form>

Using $_GET seems convenient because in a table with a lot of rows, containing instructors, on the right most cell/column, I have a set of link buttons for CRUD operations, "Add bio" being one of those buttons.

<a title="Add bio" href="add_bio.php?id=<?php echo $arr['id']?>"><span class="glyphicon glyphicon-plus-sign"></span></a>`

But instead of passing the $user_id variable so that the bio can be added, the server throws these errors:

Notice: Undefined index: id in E:\xampp\htdocs\courses\add_bio.php on line 7 Error: Cannot add or update a child row: a foreign key constraint fails

How can I pass the user's id if I want to keep the CRUD links mentioned above?

Thank you!

Razvan Zamfir
  • 4,209
  • 6
  • 38
  • 252
  • well is id in the url or not? is that code `add_bio.php` because line 7 has nothing to do with the users id –  Jan 25 '17 at 21:17
  • Yes, it is: add_bio.php?id=5. That's before submitting the form. – Razvan Zamfir Jan 25 '17 at 21:18
  • It appears you're trying to `INSERT` instead of `UPDATE`... Also note that your application is extremely open to [SQL injection](http://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work) – Scopey Jan 25 '17 at 21:19
  • Why is it open to SQL injection? How can I fix that? Thank you! – Razvan Zamfir Jan 25 '17 at 21:20
  • The bios do not exist just by adding an instructor. Sure I am trying to INSERT instead of UPDATE. There is nothing to update. – Razvan Zamfir Jan 25 '17 at 21:22
  • Hello, Can anyone help me understand why I am -15 points on this question, and why I have a noticed about "User has been removed" ? I can't figure out why this question penalized me. Thanks! – Danoweb Jan 30 '17 at 19:25

2 Answers2

0

You may have some issues with the content being submitted.

A great troubleshooting approach would be to: print_r($_GET); or print_r($_POST);

Another option is to also: echo print_r($_GET, true); The Second argument (True) tells the print_r function to return as a string instead of output to the browser.

Review that output and verify you are actually getting an "ID" value in your GET and POST variables.

Also, some security concerns, any data you take in from GET or POST or REQUEST or COOKIE should be "cleaned" you can look at: mysqli_real_escape_string

Additionally, Never use PHP_SELF. In almost all cases, it can be manipulated to execute a Cross Site Scripting Attack, and that is bad news. if you want to submit the form to the current script, you can leave the "action" attribute as an empty string. action=""

Hope this helps!!!

Danoweb
  • 423
  • 2
  • 9
0

The form was missing this line, right above the submit button:

<input type="hidden" name="id" value="<?php $user_id;?>">
Razvan Zamfir
  • 4,209
  • 6
  • 38
  • 252