Just pass in the userid when you call the function. For example:
PHP Code:
function saveItem($userid) {
echo "User ID: $userid";
}
$userid = 66;
saveItem($userid);
This may also help, especially the part about parameters.
Thank's for your helpful response, I've tried placing the $userid variable in a function and calling it but the value that is sent is still null.
If on the other hand I specify a value above the function call like in your example:
$userid = 66;
saveItem($userid);
Then the value 66 is inserted in the database.
But the value that I am trying to insert isn't a specific value like 66, rather it has been taken from the database and stored in a variable ($userid).
Is it possible for you to show me what the code would look like, based on my code for inserting value from the variable $userid in to the database?
//checks cookies to make sure they are logged in
if(isset($_COOKIE['ID_my_site']))
{
$email = $_COOKIE['ID_my_site'];
$pass = $_COOKIE['Key_my_site'];
$query = "SELECT forename, surname FROM user WHERE email = '$email'";
$result = mysql_query($query) or die(mysql_error());
$row = mysql_fetch_array($result) or die(mysql_error());
$check = mysql_query("SELECT * FROM user WHERE email = '$email'")or die(mysql_error());
while($info = mysql_fetch_array( $check ))
{
//if the cookie has the wrong password, they are taken to the login page
if ($pass != $info['password'])
{ header("Location: login.php");
}
//otherwise they are shown the admin area
else
{
}
}
}
else
//if the cookie does not exist, they are taken to the login screen
{
header("Location: login.php");
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Cleaning Rota - Options</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="Content-Style-Type" content="text/css" />
<link href="css/layout.css" rel="stylesheet" type="text/css" />
</head>
<body>
<noscript><p>** Scripts have been disabled in your web browser, as a result of this some features may be unavailable. **</p></noscript>
<div id="rotamenu"> <br />
<?php
$useridquery = "SELECT userid FROM user WHERE email = '$email'";
$result = mysql_query($useridquery);
while ($row = mysql_fetch_assoc($result)) {
$userid = $row["userid"];
}
switch($_GET['action']){
case 'delete':
$title = 'Delete a Person';
$content = DeleteItem();
break;
case 'new':
$title = 'Add a Person';
$content = ManageItem();
break;
case 'save':
$title = 'Save a Person';
$content = SaveItem();
break;
default:
$title = 'Options';
$content = ShowList();
break;
}
function ShowList(){
// we are showing the table, no initial actions are needed
// so we'll jump straight into the table
// run the query, we're putting the things that aren't purchased at the top
$query = mysql_query("select * from rota where userid='$userid' order by person asc");
// loop all the records
while($row = mysql_fetch_assoc($query)){
$output .= '<tr>';
$output .= '<td>' . $row['person'] . '</td>';
$output .= '<td width="76"><a href="?action=edit&personid=' . $row['personid'] . '"> ';
// need to add slashes as we're dealing with javascript here
$output .= '<a href="javascript:checkDelete(\'' . addslashes($row['person']) . '\',' . $row['personid'] . ');">Delete</a></td>';
$output .= '</tr>';
}
$output .= '</table>';
return $output;
}
function DeleteItem(){
// in the query we convert it to an integer to prevent any injection
if(mysql_query("delete from rota where personid='".(int)$_GET['personid']."'")){
$output = '<b>One member has been removed from the cleaning rota.</b><br/><br/>';
}else{
$output = '<b>An Error Occurred: ' . mysql_error() . '</b><br><br>';
}
// show the list
$output .= ShowList();
return $output;
}
function ManageItem(){
if(isset($_GET['personid'])){
// if we're editing we need to grab the stuff from the database
// convert to integer (if its not a number it'll become zero
$personid= (int)$_GET['personid'];
$query = mysql_query("select * from rota where personid='" . $personid . "' limit 1");
$row = mysql_fetch_assoc($query);
}else{
// set up blank array
$row['personid'] = '';
$row['person'] = '';
}
// we have lots of HTML here, so we're breaking out of PHP, but we need to stop it outputting
// so we'll use output buffering and capture the result
?>
<table border="0" width="450">
<tr>
<td><font size="2">Person:</font></td>
<td><input type="text" name="person" size="20" value="<?php echo htmlspecialchars($row['person']); ?>"></td>
</tr>
<tr>
<td colspan="2">
<p align="center">
<input type="submit" value="Add Person" name="submit"></td>
</tr>
</table>
</form>
<?php
// get output buffer and then clean it up
$output = ob_get_contents();
ob_end_clean();
return $output;
}
function SaveItem(){
if(isset($_POST['personid'])){
// we are updating
// using our custom db escape function
$query = 'update `rota` set ';
$query .= " `person`='".db_escape($_POST['person'])."', ";
$query .= " where personid='".(int)$_POST['personid']."' limit 1";
if(mysql_query($query)){
$output = '<b>Your person has been updated.</b><br/><br/>';
}else{
$output = '<b>An Error Occurred: ' . mysql_error() . '</b><br><br>';
}
}else{
// we are adding
// we are updating
// using our custom db escape function
$query = "INSERT INTO rota (userid, person) VALUES ('$userid','".db_escape($_POST['person'])."')";
if(mysql_query($query)){
$output = '<b>One person has been added to the cleaning rota.</b><br/><br/>';
}else{
$output = '<b>An Error Occurred: ' . mysql_error() . '</b><br><br>';
}
}
// show the list
$output .= ShowList();
<style>
body,table, td, th, tr {
font-family: georgia;
font-size: 10pt;
}
</style>
<script>
function checkDelete(person,personid){
if(confirm('Are you sure you want to remove "'+ person +'" from the rota?')){
window.location = '?action=delete&personid='+personid;
}else{
Well you still aren't passing in the $userid variable as a parameter to your SaveItem function. You need to change the function declaration like so:
PHP Code:
function SaveItem($userid) { // ...
Then when you call the function, supply the user id:
PHP Code:
$content = SaveItem($userid);
A couple of other things, you need to escape all user input. Currently I could manually set a cookie value which would inject SQL into your queries. Data from cookies should be treated with the same suspicion as any other user-supplied data. You already have a function for cleaning data so you just need to call it.
Also you will probably find it easier to write cleaner code if you indent statements. If nothing else it makes it easier to read.
Thank's for all of your feedback Mindzai, it's really useful. I think I'm sorted now, just in the process of implementing all of the changes that you suggested!
Originally Posted by Mindzai
Reply With Quote
) and I will take a look.
Bookmarks