0

This is my first ever question on stackover flow so hope i explain it well. I am fairly new to php/js/html and i have run into a problem. I query my database using a session variable and it returns all the results that are associated with the logged in user. Below is the php code i used to get the results.

<?php

session_start();

include('conn.php');

if(!isset($_SESSION['40219357_user'])){
    header('Location:index.php');
}

    $username = $_SESSION['40219357_user'];
    $userid = $_SESSION['40219357_id'];

    $read = "SELECT * FROM medi_users WHERE dr_id = '$userid'";
    $result = $conn ->query($read);

?>

The result of this query is displayed in a table on my website. When the logged in user of the website clicks on a person's record it should show all the information relating to that specific person.

Since asking my original question i have found a simple solution to my problem by passing the user id as a hidden value in a button. The code for this is below.

<?php

        while($row = $result ->fetch_assoc()){
            $rowid = $row['id'];
            $firstname = $row['firstname'];
            $surname = $row ['surname'];
            $dob = $row['dob'];
            $address = $row['address'];
            $town = $row['town'];
            $postcode = $row['postcode'];


            echo"   
                <tbody>
                    <tr>
                        <td>$firstname</td>
                        <td>$surname </td>
                        <td>$dob</td>
                        <td>$address</td>
                        <td>$town</td>
                        <td>$postcode</td>
                        <td><a class = 'btn btn-danger' 
                 href `='patientsmedication.php?editid=$rowid'>View</a></td>`
                    </tr>

            ";

        }
    ?>
</tbody>
    </table>
    </div>
</div>

I fully understand that this is not a very secure way of doing this and i would be open to suggestions as to how to do this correctly as i am keen to learn.

kmcs87
  • 15
  • 2
  • 1
    hi @kmcs87, welcome to SO. This is a bit of a vague question and could do with some more code. There are different ways to pass information around in PHP depending on your goal. Can you add in some more code so we can see what you have tried to do to pass the data, what your output looks like from your initial query - (e.g. are you building a form, a table with buttons, a list of links etc). Also since you are new you should start out on the right foot and do some reading about prepared statements and PDO as this will secure your code against injection – imposterSyndrome May 16 '19 at 14:21
  • also try this, it might give you some ideas : https://stackoverflow.com/questions/871858/php-pass-variable-to-next-page not that you should look at the post and get answers – imposterSyndrome May 16 '19 at 14:23
  • I dont understand your problem could you try to explain a little bit better pls – LukeDS May 16 '19 at 14:26
  • @jameson2012 thank you for quick response, i cant believe how quick people are to help. Thanks for the suggestion regarding PDO as it is something that i was just made aware of yesterday and i hope to pick up quickly as i am also learning java. I have since edited my question so i hope this gives some more clarity on exactly what i hope to achieve. – kmcs87 May 16 '19 at 15:31
  • @LukeDS Thanks for you response, it is greatly appreciated. I have since edited my question so i hope this gives some more clarity on exactly what i hope to achieve. – kmcs87 May 16 '19 at 15:31
  • @Kmcs87 passing the users ID its not a secure issue, in order to link a button to a user you need to pass a unique id. – LukeDS May 16 '19 at 15:41

1 Answers1

0
<?php

session_start();
//I think you are already using PDO/Mysqli prepared statements
//in this file since you call $conn->query below
include('conn.php');

    if(!isset($_SESSION['40219357_user'])){
        header('Location:index.php');
    }
    //
    $username = $_SESSION['40219357_user'];
    $userid = $_SESSION['40219357_id'];


    //so to make this secure use place markers and bind your params
    $read = "SELECT * FROM medi_users WHERE dr_id = '$userid'";
    //becomes:
    $read = "SELECT * FROM medi_users WHERE dr_id = :userId";
    $q = $conn->prepare($read);
    $q->bindParam(":userId",$userId,PDO::PARAM_INT);
    $q->execute();

    //now you can fetch your result set and store it in a variable
    $results = $q->fetchAll();
?>

then you can loop through the results with a foreach

 echo "<table>
          <tr>
             <th>Heading 1</th><th.....
          </tr>";

  foreach($results as $row) {
        $rowid = $row['id'];
        //I'm not sure if this is the right id,
        //you would need to confirm, I would think you want to have a user id, but obviously don't know the structure
        //of your database - if this is the user (patient?)
        //id then it's fine
        $firstname = $row['firstname'];
        $surname = $row ['surname'];
        $dob = $row['dob'];
        $address = $row['address'];
        $town = $row['town'];
        $postcode = $row['postcode'];

       echo "<tr>
                    <td>$firstname</td>
                    <td>$surname </td>
                    <td>$dob</td>
                    <td>$address</td>
                    <td>$town</td>
                    <td>$postcode</td>
                    <td><a class='btn btn-danger' 
             href='patientsmedication.php?patientId=$rowid'>View</a></td>//or whatever the relevant id is
                </tr>";
    }
    echo "</table">;

I'm sure there are mixed feelings about passing an id in the url - personally I am not a big fan but we do it where I work for read only situations, if you have enough other checks in place then the id on it's own isn't really very useful to anyone.

Now in patientsmedication.php you can get the patients id using $_GET['patientId']

<?php
session_start();   
include('conn.php');

if(!can_view_patient_details()) {
   header('Location:error_page.php');
   exit();
} else {
   $patientId = isset($_GET['patientId'])??0;
   //if you aren't using php7 you won't have the null coalescing operator so use a ternary style like $var = cond ? A : B

   //now do your query

$q = "SELECT * FROM yourtable WHERE patientId = :patientId";
$q = $conn->prepare($q);
$q->bindParam(":patientId",$patientId,PDO::PARAM_INT);
$q->execute();

//now you can fetch your result set and store it in a variable
$results = $q->fetchAll();

}

function can_view_patient_details() {
    //this should return true or false
    //you would need to design your own permissions checks, 
    //given the nature of your project I would think you would
    //do a database call to confirm the user has the right access
    //to the patient, but you may just check that the correct
    //sessions are set, you'd have to decide what is most appropriate
}


?>

Then with your result you can create the page as you see fit - if you are going to use this page to update details I would suggest a form because you can use the $_POST method which doesn't show the information in the url - then I would suggest it goes through a controller to do all the correct checks for permissions, data types etc.

If you haven't got into MVC patterns (which is likely if you are just starting out) then at least direct your form to a separate script, and then return to this page with some feedback - either by a flag in the url or by setting a session message and echoing it out.

A couple of things worth noting are that I assume you are using PDO not Mysqli prepared statements, they are both fine but the syntax is slightly different and my answer only uses PDO also in PDO you no longer need to use semi colons on your place markers (:userId == userId) but I personally prefer it for readability when writing sql. Also your session names look like they have the user id in the name ( it might be an internal code though that means something though), but if it is the id it's not very scalable to set it up this way - it's more simple to just have a session called 'user' and give it the value of the id - otherwise how would you know the name of the session without looking up the user, which would defeat the object.

Hopefully this will point you in the right direction, I recommend reading up on PDO and MVC patterns

imposterSyndrome
  • 896
  • 1
  • 7
  • 18