1

I've created 3 pages in php,

1) admin_details.php 2). edit_admin_details.php 3). edit_admin_details_process.php

The admin_details.php page selecting all admins data, the edit_admin_details.php selecting the admin details for editing/updating with $admin_id=_GET['id'] from admin_details.php page and the edit_admin_details_process.php updates the data . now my problem is that i want some php form validation for edit_admin_details.php , so i search the internet, i found the solution that use session variables with header() $_SESSION['data']=_POST Which will obviously create 2 dimension array of all variables of form like $_SESSION['data']['admin_id'] etc or use edit_admin_details_process on the same page. i use the session variables to validate it . but when i click update button after changing some data in the input fields , the page action=edit_admin_details.php to check for validation so i get undefined index error for $_GET['id'].i tried 5 hours to find a solution but in vain. please help me get out of the problem. i am doing my final year project. The code is written below . . . .

1). admin_details.php

<?php
session_start();
if(isset($_SESSION['admin_username'])){
    include("../include/connection.php");
    $query = "SELECT * FROM `admins`";
    $result = mysqli_query($conn,$query);
}else{
    header("Location: login.php");
}


?>
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>Admin Details</title>
</head>

<body>
    <table border="1" align="center">
        <thead>
            <th>Admin Id</th>
            <th>First Name</th>
            <th>Last Name</th>
            <th>Email</th>
            <th>Phone</th>
            <th>Delete</th>
            <th>Edit Details</th>
        </thead>
        <?php
            while($row=mysqli_fetch_assoc($result)){
                echo("<tr>");
                echo("<td>".$row['ADMIN_ID']."</td>");
                echo("<td>".$row['FIRST_NAME']."</td>");
                echo("<td>".$row['LAST_NAME']."</td>");
                echo("<td>".$row['EMAIL']."</td>");
                echo("<td>".$row['PHONE']."</td>");
                echo("<td><a href='"."delete_admins.php?id=".$row['ADMIN_ID']."'>Delete</a></td>");
                echo("<td><a href='"."edit_admin_details.php?id=".$row['ADMIN_ID']."'>Edit</a></td>");
                echo("</tr>");


            }
        ?>
    </table>
</body>
</html>

2). edit_admin_details.php

<?php 
session_start();
if(isset($_SESSION['admin_username'])){
    include("../include/connection.php");
    include("../include/functions.php");
    if(!isset($_GET['id'])){
        header("Location: index.php");
    }
    $admin_id = mysqli_real_escape_string($conn,$_GET['id']);
    $querySelect = "SELECT * FROM `admins` WHERE ADMIN_ID='$admin_id'";
    $resultSelect = mysqli_query($conn,$querySelect) or die("unable to query ".mysqli_error($conn));
    $row = mysqli_fetch_assoc($resultSelect);

}else{
    header("Location: login.php");
}

?>

<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>Edit Admin Details</title>
</head>

<body>
    <form action="edit_admin_details_process.php" method="post">
        Admin Id :
        <input type="text" name="admin_id" id="admin_id" value="<?php echo $row['ADMIN_ID']; ?>"><br>
        Admin First Name:
        <input type="text" name="first_name" id="first_name" value="<?php echo $row['FIRST_NAME']; ?>"><br>
        Admin Last Name:
        <input type="text" name="last_name" id="last_name" value="<?php echo $row['LAST_NAME']; ?>"><br>
        Admin Email:
        <input type="email" name="email" id="email" value="<?php echo $row['EMAIL']; ?>"><br>
        Mobile Number:
        <input type="number" name="mobile_number" id="mobile_number" value="<?php echo $row['PHONE']; ?>"><br>

        <button type="submit" name="submit" id="submit">UPDATE</button>

    </form>
</body>
</html>

3). edit_admin_details_process.php

<?php
session_start();
if(isset($_SESSION['admin_username'])){
    include("../include/connection.php");
    if(!isset($_POST['admin_id'])){
        header("Location: index.php");
    }
    $admin_id = mysqli_real_escape_string($conn,$_POST['admin_id']);
    if(isset($_POST['submit'])){

        $first_name = strtolower(trim($_POST['first_name']));
        $last_name = strtolower(trim($_POST['last_name']));
        $email = strtolower(trim($_POST['email']));
        $mobile_number = $_POST['mobile_number'];
        $queryUpdate = "UPDATE `admins` SET `FIRST_NAME`='$first_name',`LAST_NAME`='$last_name',`EMAIL`='$email',`PHONE`='$mobile_number' WHERE ADMIN_ID='$admin_id'";
        $resultUpdate = mysqli_query($conn,$queryUpdate);
        if($resultUpdate){
            header("Location: admin_details.php");
        }
    }
}else{
    header("Location: login.php");
}
?>

<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>Untitled Document</title>
</head>

<body>
</body>
</html>
Shaida Muhammad
  • 1,428
  • 14
  • 25
  • which page is viewed first? is it set up to go to admin_details.php – Jonny Nov 30 '17 at 13:51
  • Don't rely on the `real_escape_string()` functions to prevent SQL injection, [they alone are not sufficient](https://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string). You should use prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) drivers. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Nov 30 '17 at 15:12

2 Answers2

0

You're using $admin_id wich is undefined.

The flow is:

  • admin_details.php SENDS id OVER GET to the edit_admin_details.php
  • edit_admin_details.php GRAB ID OVER GET
  • edit_admin_details.php SENDS id OVER POST to edit_admin_details_process.php
  • edit_admin_details_process.php SENDS NOTHING to edit_admin_details.php

(as you said, because the code shows something different) Even if it edit_admin_details_process.php sent something over POST, you need to send it over GET to edit_admin_details be able to grab it.

You should change this:

if($resultUpdate){
  header("Location: search_admin.php");
}

For something like:

if($resultUpdate){
  header("Location: edit_admin_details.php?id=".$admin_id);
}

Besides, you need to sanitize everything first and don't show and allow to edit the ID, otherwise they could just overwrite another user.

LordNeo
  • 1,195
  • 1
  • 8
  • 21
  • 1
    yes $_GET['id'] is giving me the undefined index error . . . . and i cannot understand what you mean by "you need to sanitize everything first and don't show and allow to edit the ID" . in my pages, every admin can edit/update data of every admin . . . . i am new in programming. also sorry for bad english. – Shaida Muhammad Nov 30 '17 at 14:14
  • in admin_details.php you're sending `id=X` to the edit_admin_details.php. In edit_admin_details.php you're trying to grab the id from GET and pass it to edit_admin_details_process.php over POST, then you try to go to edit_admin_details.php (as you said, because the code shows something different) wich will try to grab the admin_id from GET (it's not going to try to get it from POST and you're not passing it either. – LordNeo Nov 30 '17 at 14:19
  • @ShaidaMuhammad edited my answer, i hope it's clearer now – LordNeo Nov 30 '17 at 14:25
0

You must First set the Session Variables from your sql query. 

$_SESSION['admin_username'] = Rusult1;
$_SESSION['Result2'] = Rusult2;  //Set the session from your query
Jonny
  • 1,319
  • 1
  • 14
  • 26
  • $_SESSION['admin_username'] is already set using login.php page. – Shaida Muhammad Nov 30 '17 at 14:11
  • in this page, every admin can edit /update data of any other admin – Shaida Muhammad Nov 30 '17 at 14:11
  • is your login form method post or get on your login.php? make sure if your form method is GET that the php checks for GET or if it is POST do the same. another thing try to echo the session on each page to see if it is passing from page to page. – Jonny Nov 30 '17 at 14:45