Page 1 of 1

Passing Variables using Session Start

Posted: Tue Dec 29, 2009 11:24 am
by marnieg
I have form built reading a database which then calls another form for user to input data. When hitting submit the data is inserted into the database. My problem is passing of a variable from the first form to the second. Here is my code.

register.php

<?php
error_reporting(E_ALL);
$link = mysql_connect("db1926.perfora.net", "dbo289756726", "JuE82EvF") or die("Could not connect : " . mysql_error());
mysql_select_db("db289756726") or die("Could not select database");

$query = mysql_query("SELECT * FROM courses where course_prog = 'Comm Educ - Computer Courses' and course_stat = 'A' order by course_nm, course_num");

echo "<table border='1' cellpadding='2'>
<td width='172px'><b>Course Name</b></td>
<td><b>Start</b></td>
<td><b>End</b></td>
<td><b>Day(s)</b></td>
<td><B>Loc</td>
<td><B>Room</td>
<td><B>Time</td>
<td><B>Cost</td>
<td width='50px'><B>Curr Enrolled</td>
";

while($row = mysql_fetch_array($query))
{
$course_num = $row['course_num'];
$csename = $row['course_nm'];
$csestart = $row['course_st_date'];
$cseend = $row['course_end_date'];
$csedays = $row['course_days'];
$cseloc = $row['course_loc_cd'];
$cserm = $row['course_rm_cd'];
$csewks = $row['course_totwks'];
$csehours = $row['course_hours'];
$csecost = $row['course_cost'];
$cseinstr = $row['course_instr'];
$csecount = $row['course_enrolled'];

//display results information in a table
echo"<form name='results' method='post' action='coursereg.php' bgcolor='#2A1E10'>
<tr>
<td>
<a target='_blank' href='coursedetail.php?course_num=$course_num'>$csename</a>
</td>
<td>
$course_num
</td>
<td>
$csestart
</td>
<td>
$cseend
</td>
<td>
$csedays
</td>
<td>
$cseloc
</td>
<td>
$cserm
</td>
<td>
$csehours
</td>
<td>
$$csecost
</td>
<td>
$csecount
</td>
<td>
<input type='submit' value='Enroll'/>
</td>

</tr>";

}//end while

echo "</table></form>";

mysql_close();
?>

The enroll button calls coursereg.php
<?php
session_start();
session_register('course_num');
$_SESSION['course_num'] = $_POST['course_num'];
require_once "formvalidator.php";
$show_form=true;
if(isset($_POST['Submit']))
{
$validator = new FormValidator();
$validator->addValidation("enroll_lnm", "req", "Please fill in Last Name");
$validator->addValidation("enroll_fnm", "req", "Please fill in First Name");
$validator->addValidation("enroll_raddr", "req", "Please fill in Street Address");
$validator->addValidation("enroll_email", "email", "Please fill in Valid Email Address");
if($validator->ValidateForm())
{

echo "<B>Enrollment Successful</B>";
$show_form=false;
}
else
{
echo "<B>Validation Erros:</B>";
$error_hash = $validator->GetErrors();
foreach($error_hash as $inpname => $inp_err)
{
echo "<p>$inpname: $inp_err</p>\n";
}
}
}
if (true == $show_form)
{
?>
// I have tried using hidden variable to maintain the value of course_num and I also need to echo the course_num which is //not working either
<form name='enroll' method='post' action='insertreg.php' >
<input type='hidden' name='course_num' value='<?php echo $_POST['course_num']; ?>'/>
<table cellspacing="2" cellpadding="2" border="1" >
<?php
echo "<tr><td align='right'> <b>Course Num</b></td><td>$course_num</td></tr>";
?>
<tr>
<td align='right'>Last Name</td>
<td>
<input type='text' name='enroll_lnm' size='30'/> </td>
</tr>
<tr>
<td align='right'>First Name</td>
<td>
<input type='text' name='enroll_fnm' size='20'/> </td>
</tr>
<tr>
<td align='right'>Street Address/Residence</td>
<td>
<input type='text' name='enroll_raddr' size='30'/> </td>
</tr>
<tr>
<td align='right'>Email</td>
<td>
<input type='text' name='enroll_email' size='50'/> </td>
</tr>
<tr>
<td colspan='2' align='center'>
<input type='submit' name='Submit' value='Submit'/>
</td>
</tr>

</table>

</form>
<?php
}//true== $show_form
?>

then the submit button calls insertreg.php
<?php
session_start();
error_reporting(E_ALL);
$link = mysql_connect("db1926.perfora.net", "dbo289756726", "JuE82EvF") or die("Could not connect : " . mysql_error());
mysql_select_db("db289756726",$link) or die(mysql_errno().":<b> ".mysql_error()."</b>");
$insert_query = 'insert into enrollment (enroll_course,enroll_lnm,enroll_fnm,enroll_raddr,enroll_email)
values (
" . $_SESSION['course_num'] . ",
" . $_POST['enroll_lnm'] . ",
" . $_POST['enroll_fnm'] . ",
" . $_POST['enroll_raddr'] . ",
" . $_POST['enroll_email'] . "
)';
mysql_query($insert_query);

?>

I have tried several syntax combinations of single and double quote but keep getting errors.

Please Advise what fixes I need to make to these 3 different files.

Re: Passing Variables using Session Start

Posted: Tue Dec 29, 2009 1:54 pm
by manohoo
These are the basics:

Create file1.php to create a session variable

Code: Select all

//file1.php
<?php 
session_start();
$_SESSION['var'] = 'foo';
?>
Now you can use $_SESSION['var'] in another file:

Code: Select all

//file2.php
<?php 
session_start();
echo $_SESSION['var'];
?>

Re: Passing Variables using Session Start

Posted: Tue Dec 29, 2009 2:15 pm
by marnieg
I think the issue is that I'm dynamically creating the form in the first file from the database. When the user hits the "Enroll" butty of type submit and the post should get all the variables in the form and pass them to the second php file, but I'm not getting any data in the course_num field that I'm trying to pass. :?:

Re: Passing Variables using Session Start

Posted: Tue Dec 29, 2009 2:38 pm
by bytebrite
It looks like you forgot to set course_num in the first form. When coursereg.php runs, it checks for course_num in $_POST, but it's not there. Hence, it passes an empty value forward.

In any case, there are a bunch of things you can do to improve your code. Just gonna fire a few suggestions off here...

Code: Select all

 
while ($row = mysql_fetch_array($query)) {
    // prevent UI breakage, XSS attacks, etc.
    array_walk($row, 'htmlentities');
    // copy array keys to variables
    extract($row);
    // use them in output...
    echo "$course_name $course_nm $course_st_date etc...";
 

Code: Select all

 
session_start();
// no need to register variable, just write it to $_SESSION...
$_SESSION['course_num'] = $_POST['course_num'];
// you've got course_num in the session,
// so there's no need to put it in a hidden form input
// just look it up in the $_SESSION var when you need it
 

Code: Select all

 
echo "<B>Enrollment Successful</B>";
// how is it successful? the insert never happens
// you should move the contents of insertreg.php here
$show_form=false;
 

Code: Select all

 
// instead of if (true == $show_form) do...
if ($show_form) { ... }
 
// but you might want to consider a different approach altogether...
if (!empty($_POST)) {
    if ($validator->isValid()) {
        insert_course($_POST);
        redirect('mycourses.php');
        exit();
    }
    $errors = $validator->getErrors();
}
// script will only get here if the form should be displayed
include('forms/coursereg.php');
 

Code: Select all

 
<form name='enroll' method='post' action='insertreg.php'>
should obviously be
<form name='enroll' method='post' action='coursereg.php'>
 
Lastly, consider using PDO or mysqli with prepared statements to prevent SQL injection and quoting issues...

Code: Select all

 
$db = new PDO('mysql:host=localhost;dbname=mydb', 'username', 'password');
$stmt = $db->prepare('INSERT INTO enrollment (course, lnm, fnm) VALUES (?, ?, ?)');
$stmt->bindValue(1, $_POST['course_num'], PDO::PARAM_INT);
$stmt->bindValue(2, $_POST['enroll_lnm'], PDO::PARAM_STR);
$stmt->bindValue(3, $_POST['enroll_fnm'], PDO::PARAM_STR);
$stmt->execute();