0

I'm trying to make a to-do-list that's user specific, meaning it shows your unique tasks depending on your user ID. The application works, but it doesn't assign the task to the current user when submitting. When I submit a task, the to-do-list stays empty, but when I check the database the task is submitted.

The problem here is that the user ID stays 0 when submitting the task, so it doesn't show it in 'my tasks' because the id isn't the same as the user who views it. My user ID is 2, the task should assign the task to user ID 2 when submitting or any other ID depending on the submitting user.

(I'm fairly new to coding, so my code might not be as clean as it can be)

--

<?php 
    $errors = "";

    $db = mysqli_connect("localhost", "root", "", "certanet");

    if (isset($_POST['submit'])) {
        if (empty($_POST['task'])) {
            $errors = "";
        }else{
            $task = $_POST['task'];
            $sql = "INSERT INTO tasks (task) VALUES ('$task')";
            mysqli_query($db, $sql);
            header('location: dashboard.php');
        }
  } 
  
  if (isset($_GET['del_task'])) {
    $id = $_GET['del_task'];
  
    mysqli_query($db, "DELETE FROM tasks WHERE id=".$id);
    header('location: dashboard.php');
  }

  ?>

-- the application itself:

    <form method="post" action="dashboard.php" class="input_form">
<?php if (isset($errors)) { ?>
    <p><?php echo $errors; ?></p>
<?php } ?>
        <input type="text" name="task" class="task_input">
        <button type="submit" name="submit">Toevoegen</button>
    </form>
  <table>

    <tbody id="todo">
        <?php 
        $tasks = mysqli_query($db, "SELECT * FROM tasks WHERE idUsers = '".$_SESSION["userId"]."' ORDER BY id DESC");

        $i = 1; while ($row = mysqli_fetch_array($tasks)) { ?>
            <tr>
                <td> <?php echo $i; ?> </td>
                <td class="task"> <?php echo $row['task']; ?> </td>
                <td class="delete"> 
                    <a href="dashboard.php?del_task=<?php echo $row['id'] ?>">x</a> 
                </td>
            </tr>
        <?php $i++; } ?>    
    </tbody>
</table>
HeliosD
  • 23
  • 3
  • When you insert the task, you aren't storing the user id. You should have a hidden field containing the current user id so it is submitted when the user clicks the submit button. **More importantly**, you should use parameterized statements when you execute your SQL statements to prevent SQL injection. Checkout the PDO object and functions in the PHP manual. – Sloan Thrasher Aug 17 '20 at 00:48
  • 1
    Do NOT rely on hidden form fields like Sloan is suggesting. That's ridiculously easy to manipulate. You have the ID in the session. Use that instead. – rjdown Aug 17 '20 at 01:33
  • **Warning:** You are wide open to [SQL Injections](https://stackoverflow.com/a/60496/1839439) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Aug 17 '20 at 09:35
  • Thank you all for your concern and input. I will definitely use prepared statements by changing the code. Also thank you @SloanThrasher for your answer on my question! I'm not that experienced yet so I will try to do that. – HeliosD Aug 17 '20 at 09:51

0 Answers0