While I refresh my browser the entries of the registration form goes into the Database every time i press REFRESH, Professor told me to resolve this problem with the help of LAST_INSERT_ID().
I am able to get the last_insert_id from the database but doesn't know what would I do further with that ID.
Please help..
enter image description here
The recommended way is to use the Post/Redirect/Get pattern.
There are other ways to achieve what you desire here.
I am not sure what your professor is asking to do with the last insert id. Maybe he is referring to something like this,
if(isset($_SESSION['last_insert_id'])){ // At the beggining
//redirect to a another location
}
// Code for insertion goes here
$_SESSION['last_insert_id'] = $last_insert_id; // Get and store the insertion id as a session
I think you are using the same page to Save the Data, If it is So, then follow the following method :
<?php
if(isset($_POST[userName]))
{
// Put your Registration Operation Code Here
header('Location: ./Registrationform.php');
}
?>
After DataBase Insertion it redirects to the same page. Now Refresh is made with the GET Method not by the POST Method. So, you can eliminate the duplicate entries by this way.
As per your requirement I used the Last Inserted ID for the Validation before Inserting Records in the Database.
<?php
session_start();
if(isset($_POST[userID]))
{
$flag = false;
if(isset($_SESSION['last_insert_id']))
{
if($_SESSION['last_insert_id'] == $_POST[userID])
{
$flag = false;
header('Location: ./Registrationform.php');
}
else
{
$flag = true;
$_SESSION['last_insert_id'] = $_POST[userID];
}
}
if($flag == true)
{
// Put your Registration Operation Code Here
}
}
?>
Related
I have two MySQL tables. The first one is for the user's credentials i.e. username, password, business_id (system generated). The second one has the user's profile for multiple entities e.g. business name, location, profile_id and business id (system genrated - the same number for the business_id).
The user can edit the details of their business details i.e. their details in the second table. The business id would be say 'abcdef' and profile id would be say 1234567, if they have a second business profile it would be say 1235879.
In order to edit each profile I would have to have the following URL
Edit Business Profile
For the second one it would be
Edit Business Profile
In turn when the a href is clicked the url in the browser would be edit_profile.php?id=1234567 and for the second one would be edit_profile.php?id=1235879
Would it be possible that instead of having edit_profile.php?id=1234567 and edit_profile.php?id=1235879 in the URL I would have edit_profile.php?id=1234567 and for the second one would be edit_profile.php
I don't want the User to see the id i.e. have only edit_profile.php
Ideally, I would like to use a PHP solution, please.
Yes, it is possible, but not exactly what are you trying to do
Solution #1
Intoduction
First of all, it should work only on users who are currently logged in and are trying to see their profile. The final results to reach is to not display ID in URL if ID is equal to current logged user's ID. It is more common than Solution #2 but if you want to hide all IDs, skip this solution.
Pluses:
There is not too much to change, just add a few more lines for checking current user ID
You can still use <a></a> tags for Edit Business Profile links.
Minuses:
Only current logged user's ID will be hidden in the URL
So what to do...
You probably use sessions to let users remain logged in even if they refreshed the page. You are on the right path, but you should add at least one more element to $_SESSION (Profile identification, so we can call it as profile_id for example).
Assume you are using this login formula:
function check_login($username, $password)
{
// query to find user with these inputs (encrypted password, prepared statements, etc)
if($query->num_rows > 0) // user exists
{
// fetch your query
// ...
session_start();
// set the session probably user is logged
// some return on success (probably redirect)
}
else
{
// some return on false
}
}
Now you should add one more $_SESSION element to save your current profile_id value:
session_start();
// ...
$_SESSION['profile_id'] = $result->profile_id; // <--- THIS IMPLEMENT
// some return on success (probably redirect)
1/2 is done!
Half of the problem is already finished, now all you need to do is compare $_GET input with $_SESSION.
Again, assuming your edit_profile.php file looks like this:
if(isset($_GET['id']) && !empty(trim($_GET['id'])))
{
$profile_id = intval($_GET['id']);
// ...
}
else
{
// probably an error profile id is not defined
}
// rest of the code ...
So now instead of error profile id is not defined we can assign to $profile_id variable index profile_id of superglobal $_SESSION:
else
{
$profile_id = intval($_SESSION['profile_id']);
}
Notice that I am assuming you have condition to reject access to this script, if user is not logged (some condition at the start).
Now your code should work but maybe you are asking the question what if user knows his ID and types it into URL?
So you have two choices:
Let it be as it is
Add condition to check if $_GET['id'] equals to $_SESSION['profile_id'] then redirect to edit_profile.php
Final thoughts...
Maybe if you are generating the list of the users, where the user can edit the others' users profiles including himself's, you want to remove id parameter of the edit_profile.php URL if the user's ID is equal to current ID in fetch loop. You can inspire by this simple function:
function generate_profile_edit_url($id)
{
session_start(); // for the case, you don't have started session yet
return 'Edit Business Profile';
}
Just in every fetch iteration you will use this function, like in the example below:
// ...
echo generate_profile_edit_url($result->profile_id);
// ...
Solution #2
Introduction
This solution will reach to the editing user's profile without any ID parameter in URL. It is designed for situation where user has rights to edit someone else's profile (for example, a moderator or an admin) and you still don't want to have the users' ID in the URL.
Pluses:
No ID parameter in URL needed for all users
Minuses:
you have to change every profile link to little form using POST action without JavaScript knowledge
no more <a></a> links for profile edit, again without JavaScript knowledge
users are still able to get their id if they want to
So what to do...
Firstly, we need to change edit_profile.php file. We have to recieve $_POST data containing target's profile_id.
Like in Solution #1, assume your edit_profile.php looks like:
if(isSet($_GET['id']) && !empty(trim($_GET['id'])))
{
$profile_id = intval($_GET['id']);
// ...
}
else
{
// probably an error profile id is not defined
}
// rest of the code ...
Most of the changes will be just replacing $_GET with $_POST:
if(isSet($_POST['profile_id']) && !empty(trim($_POST['profile_id'])))
{
$profile_id = intval($_POST['profile_id']);
// ...
}
else
{
// probably an error profile id is not defined
}
// rest of the code ...
For this file, it is enough.
Now there is some more work to do if you have a placed profile links in different files. But we can make it easier using one simple function like this:
function get_profile_edit_button($profile_id)
{
$html = '<form action="edit_profile" method="POST">';
$html .= '<input type="hidden" name="profile_id" value="' . intval($profile_id) . '">';
$html .= '<input type="submit" value="Edit Business profile">';
$html .= '</form>';
return $html;
}
The last thing is replace current edit profile links with this function. For example you have fetch loop of users:
// ...
echo 'Edit Business Profile';
// ...
So you will replace this string with your function get_profile_edit_button():
// ...
echo get_profile_edit_button($result->profile_id);
// ...
Final thoughts...
As I mentioned in minuses, profiles' ids cannot be totally hidden. If someone opened Source code of your page, he can see profile_id in hidden form type:
<input type="hidden" name="profile_id" value="1234567">
It is only on you what solution you prefer, but I can recommend you Solution #1. There is nothing bad about having IDs in URL. Stack Overflow has it too as you can see it on questions, answers, comments and users.
Useful resources:
PHP Session Security
PHP form token usage and handling
When logging in, try saving the user ID and business ID inside session.
As for example..
$logged_in = some_logic_stuffs();
if($logged_in){
session_start();
$_SESSION['user_id'] = SOME_ID_FETCHED_FROM_LOGIN_LOGIC;
$_SESSION['business_id'] = SOME_ID_FETCHED_FROM_LOGIN_LOGIC;
}
Now, when user goes to edit_profile.php, do
session_start();
$business_id = $_SESSION['business_id'];
$user_id = $_SESSION['business_id'];
For the login logic, try reading this tutorial:
http://www.formget.com/login-form-in-php/
If the user can edit multiple business profiles, the $_SESSION solutions would not work. You would need to disguise what gets sent to the address bar:
You would need to change your code to POST the data rather than sending it as a GET request.
To do this you could either use JavaScript to fake a form post on the link click, or wrap your link in a form tag and set method="POST".
POST sends the data "behind the scenes" rather than exposing it in the browser. I should add that this would still be visible to anyone wanting to discover your IDs, but it would hide it from the casual user at least.
If you really wanted security, #BobBrown's suggestion to tokenise would be a great way forward. You may find, however, that just hiding the ID from display on-screen is enough. Just make sure your user management system will restrict who can edit a particular business.
Try this
<?php
session_start();
include('dbconnect.php');
if(isset($_SESSION['username']))
{
$username = $_SESSION['username'];
$userid = $_SESSION['id'];
}
else
{
$_SESSION['id'] = "";
$_SESSION['username'] = "";
}
if($username <> "")
{
$username = 'username';
$userid = 'id';
}
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 900))
{
// last request was more than 30 minutes ago
session_unset(); // unset $_SESSION variable for the run-time
session_destroy(); // destroy session data in storage
}
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp
?>
then
<?php
#if the form is set (meaning that the information was submitted then define what the parameters are for each
if(isset($_REQUEST['username']) == TRUE)
{
$username = $_REQUEST['username'];
$password = $_REQUEST['password'];
#make sure there are no blank fields
if($username == "" OR $password == "")
{
echo '<p class="text-danger">Please enter a Username and Password</p>';
}
else
{
$userid = finduser($username, $password);
if($userid > 0)
{
loginuser($userid);
}
else
{
echo '<p class="lead text-danger">The Username and/or Password enter is incorrect</p><br />';
}
}
}
?>
after that then this
<?php
if(isset($_SESSION['username']))
{
if($_SESSION['username'] <> "")
{
//do something
}
else{
//form or something else
?>
<form>form goes here</form>
<p> or something else you want</p>
<?php
}
}
?>
Start your PHP with session_start(); then when the user logs in make a session value for the ID:
$_SESSION['profile-id'] = 1235879; //Select it from database
after in your edit_profile.php do that:
if (!isset($id)) {
$id = $_SESSION['profile-id'];
}
And then edit the $id.
Store the id in session on the first page:
$_SESSION['id'] = 12345;
And on edit_profile.php you can get the value by:
$id = $_SESSION['id'];
And start the session on every page by session_start();
Easiest and simplest way to handle your situation if you want to use Id or any information in URL and pass it through URL
then you can have a scret combination with your values like below
Firt you have to encode the value with your secret stuff for example
$sshhh="ITSMY_SECRET_VALUECODE";
$encrypted_id = base64_encode($your_value . $sshhh);
Then pass it (encrpyted_id) in URL
for example href="all-jvouchers.php?id=<?= $encrypted_id; ?>
and while getting value use below code to get back your value
$sshhh="ITSMY_SECRET_VALUECODE";
$decrypted_id_raw = base64_decode($_GET['id']);
$decrypted_id = preg_replace(sprintf('/%s/', $sshhh), '', $decrypted_id_raw);
Use $decrypted_id wherever and however you want to securely
my code is related to breadcrumbs.. that is it should display previous page or from where it is navigated and i achieved it partially , while im refreshing 2-3 times im getting the current page not the previous page.. so pl help me on this
my code lies in session.php as
$add = $_SERVER['PHP_SELF'];
if($_SESSION['pageadd'][1]!= $_SESSION['pageadd'][2])
{ $_SESSION['pageadd'][2]= $_SESSION['pageadd'][1];
}
echo $_SESSION['pageadd'][2];
if(($_SESSION['pageadd'][1]!= $add) )
{ $_SESSION['pageadd'][1]= $_SESSION['pageadd'][0];
$_SESSION['pageadd'][0]=$add;
}
What you want isn't a breadcrumb - it's a history for visited pages! This could be achieved with something like this:
if (!isset($_SESSION['pageadd'])) {
$_SESSION['pageadd'] = array();
}
// add page
$_SESSION['pageadd'][] = $_SERVER['PHP_SELF']
// only save last 5 pages
if (count($_SESSION['pageadd'])) > 5) {
array_shift($_SESSION['pageadd']);
}
Try to use $_SERVER['HTTP_REFERER'] it will return you previous url. However you need to store it in some hidden field or session like you are doing now.
Hope this help :)
I have a script that takes some 500 rows from a table, and based on whether or not a user is logged in, generates a link to like or dislike the item.
The way it currently goes is like this:
//Select * from table;
//while(){
if($userLogged)
{
echo $row['columnName'].' Like - Dislike';
}else{
echo $row['columnName'];
}
}
This way, it checks if a user is logged at each and every row. $userLogged is set in a file that's included on this page.
What would be a better way to do this instead of checking if a user were logged in inside the loop for each and every row?
Not getting your question quiet well but I think you want to prevent condition each time you loop so you can check the condition first and than loop accordingly, example
if($userLogged) {
while(condition) {
}
} else {
while(condition) {
}
}
This way you don't have to check the condition inside the loop each time it loops
Use sessions here
session_start();
if(isset($_SESSION['userLogged']))
{
echo $row['columnName'].' Like - Dislike';
}else{
echo $row['columnName'];
}
If the code for the like and dislike is identical for each entry then you could do something like this.
$links = ($userLogged)?"Like - Dislike":"";
while (condition){
echo $row['columnName'].$links;
}
I'm having a little issue with some php logic in my main index page, that will include certain pages based on the results of some functions, mainly to do with login/logout and the first time a user logs in after registering. The php that manages the includes is below:
UPDATE: (Based on suggestions from #arjan and #bigman I've updated the code as follows. The end result is still the same).
<?php
if ($login->checkForRegisterPage()) {
include("views/pages/home.php");
// are we logged in ?
} elseif ($login->isLoggedIn()) {
// check whether account is activated
if (!$login->checkActivated()) {
include("views/pages/activate.php");
// check whether user has logged in before
} elseif ($login->checkFirstLogin()) {
include("views/pages/build_profile.php");
// check action in URL and redirect accordingly
} elseif ($checkaction->checkForBuildProfilePage()) {
include("views/pages/build_profile.php");
} elseif ($checkaction->checkForViewProfilePage()) {
include("views/pages/profile.php");
// if all else fails, load the dashboard
} else {
include("views/pages/dashboard.php");
}
} else {
// not logged in, showing the login form
include("views/pages/home.php");
}
?>
The problem is with the two functions $login->checkActivated(); and $login->checkFirstLogin(); included below:
public function checkFirstLogin() {
$checkfirstlogin = $this->db->query("SELECT first_login FROM users WHERE first_login = 'Y' AND user_name = '".$this->user_name."';");
if($checkfirstlogin->num_rows == 1) {
return true;
} else {
return false;
}
}
public function checkActivated() {
$checkactivated = $this->db->query("SELECT activated FROM users WHERE activated = 'N' AND user_name = '".$this->user_name."';");
if($checkactivated->num_rows == 1) {
return false;
} else {
return true;
}
}
When the user first logs in, these functions return the correct result and I receive the page that I want. However, after login, I can still click and travel to other links on the page e.g. checkForViewProfilePage(); looks for view=profile in the URL. The thing is in order for the logic to reach the point where it even checks for that, it would have had to get past the two functions checkActivate(); and checkFirstLogin();, which it shouldn't be able to do while those criteria are met, but it still can. I hope I'm making sense. Can anyone see an error?
Obviously my login form calls the Login class which the awkward functions are stored in, and so this would be loaded on login, but the class is included in the same way here so I'm not sure why the functions don't appear to be firing.
you can use elseif to stop the nesting from going deeper.
also, why call every function twice? Only once in the if should be enough.
I solved it. The problem was higher up in the Login class - in Login db connections are only created when a session_start() is fired, i.e. on first login. Created a new class with db connection launched with each function and everything worked as it was.
Thanks to #arjan and #bigman for the formatting tips r.e. nesting.
I've been searching about deleting db entries in Codeigniter and I finally created a solution that I think is secure. I would really appreciate any feedback! I'm not sure if I'm doing this right..
Advantages:
Uses POST request
ID of entry to be deleted is
validated
Uses CSRF protection (automatically
generated by Codeigniter)
In my example I'm deleting user submitted links (a DB table row contains a link title, link URL, an link description).
HTML: Database entires are contained within a form. Each entry has a form button with the respective link id in the id attribute.
<?php echo form_open('profile/remove_link'); ?>
<?php echo form_hidden('link_id', ''); //value will be populated via jquery ?>
<ul id="user_links">
<?php foreach($query as $row): ?>
<li><?php echo $row->link_title; ?></li>
<li><?php echo auto_link($row->link_url, 'url', TRUE); ?></li>
<li><?php echo $row->link_description; ?></li>
<button type="submit" class="remove" id="<?php echo $row->link_id ?>" value="remove">Remove Link</button>
<?php endforeach; ?>
</ul>
</form>
JQUERY: When user clicks on the remove button, the respective link id is added to the the hidden text input named link_id.
$(document).ready(function(){
$('.remove').click(function() {
var link_to_remove = $(this).attr("id");
$("input[name=link_id]").val(link_to_remove);
});
});
Upon clicking a remove button, it sends the id of link to be removed to controller profile and function remove_link
function remove_link()
{
$this->load->model('Profile_model');
$links_data['query'] = $this->Profile_model->links_read(); //get links from db to add in view
//Validation
$this->form_validation->set_rules('link_id', 'Link ID', 'trim|required|xss_clean|max_length[11]|numeric'); //validate link id
if ($this->form_validation->run() == FALSE) //if validation rules fail
{
$this->load->view('profile/edit_links_view', $links_data);
}
else //success
{
$link_id = $this->input->post('link_id'); //get id of link to be deleted
$seg = 'user_links'; //used to redirect back to user links page
$this->Profile_model->links_delete($link_id, $seg); //send link id to model function
}
}
MODEL
function links_delete($link_id, $seg)
{
$this->db->where('user_id', $this->tank_auth->get_user_id());
$this->db->where('link_id', $link_id);
$this->db->delete('user_links');
redirect("/profile/$seg/");
}
If the ids are unique integers in your database, you could remove these rules:
trim|xss_clean|numeric
And add this one:
is_natural_no_zero
Returns FALSE if the form element contains anything other than a natural number, but not zero: 1, 2, 3, etc.
The numeric rule allows some characters you probably don't want, like decimals and negative. Here's the source (one line):
return (bool)preg_match( '/^[\-+]?[0-9]*\.?[0-9]+$/', $str);
If for some reason you are echo'ing the input back in your HTML output before validating, or are just paranoid, then by all means: xss_clean it up. Otherwise it's not really needed, as I don't think there's any possible method of XSS attacks that only use a number.
Reference:
https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
http://ha.ckers.org/xss.html
Also, you might want to add a LIMIT 1 clause to your query, and definitely make sure to return a value (probably TRUE/FALSE) from your model so you know whether or not the query was successful, so you can give feedback to the user instead of assuming everything went well.
The only thing that I see wrong is that you don't validate who can and can't delete records. That's the only issue you should focus on. Permissions to check if the person sending the request of deletion is allowed to perform such operations. Other than that it's just a matter of preference.
I would suggest rewriting controller and model a bit to make the flow more logical and provide better performance:
controller:
function remove_link()
{
if ($this->input->post('link_id'))
{
//Validation
$this->form_validation->set_rules('link_id', 'Link ID', 'is_natural_no_zero');
if ($this->form_validation->run())
{
$seg = 'user_links'; //do you really need to assign it to variable ??
$this->load->model('Profile_model');
if ($this->Profile_model->links_delete($this->input->post('link_id')) //send link id to model function
{
redirect('/profile/user_links'); // redirect user in controller and only when model returns true
}else{
// inform user about error somehow, eg. by setting session flashdata and redirecting back to /profile/user_links
}
}
} // else statement here was a mistake as in case of form_validation failure nothing happened
$this->load->model('Profile_model');
$links_data['query'] = $this->Profile_model->links_read(); //get links from db to add in view
$this->load->view('profile/edit_links_view', $links_data);
}
model:
function links_delete($link_id)
{
$this->db->where('user_id', $this->tank_auth->get_user_id())
->where('link_id', $link_id)
->delete('user_links'); // you can chain methods without writing always $this->db->
return $this->db->affected_rows(); // returns 1 ( == true) if successfuly deleted
}
And as a side note in your jQuery code I suggest using $('#some_id') instead of $('input[name=XXXX]') - it saves some javascript code execution thus is faster