after login in, how to submit data into database with user_id of logged in user

Question

I made the create event page, but when I submit the data doesn't go to my database, I tried using the insert feature in PHPMyAdmin and it requires that I enter also the user_id even tho I made a relationship between the 2 tables

I guess I have to retrieve the user_id of the logged-in user , but I couldn't do it I keep getting an error message.

NOTE: this website if for a school assignment!!

<?php
require "config.php";
include("auth.php");

    if(isset($_POST['submit'])) {
        $event_name=$_POST["event_name"];
        $event_description=$_POST["event_description"];
        $video_url=$_POST["video_url"];
        $image_url=$_POST["image_url"];
        $start_date=$_POST["start_date"];
        $end_date=$_POST["end_date"];
        $start_time=$_POST["start_time"];
        $end_time=$_POST["end_time"];
        $sql_query="INSERT INTO event_details ( event_name, event_description , video_url, image_url, start_date, end_date, start_time, end_time) values('$event_name','$event_description','$video_url','$image_url','$start_date','$end_date','$start_time','$end_time')";

        if(mysqli_query($con,$sql_query)) {
            header("Location: adminevents.php");
        }
        
    }   
?>

that is the code in the form

<?php
// Calling the Connection file!
require "config.php";

session_start();
// If form submitted, insert values into the database.

if (isset($_POST['username'])){
    $username = stripslashes($_REQUEST['username']);
    $username = mysqli_real_escape_string($con,$username);
    $password = stripslashes($_REQUEST['password']);
    $password = mysqli_real_escape_string($con,$password);
    
    //Checking is user existing in the database or not
    $query = "SELECT * FROM users WHERE username='$username' and password='$password'";
    $result = mysqli_query($con,$query);
    $rows = mysqli_num_rows($result);
    
    if($rows==1){
    $_SESSION['username'] = $username;
    
    
    // Redirect user to a welcome page
    header("Location: welcome.php");
    }
    else {
        echo "<div class='wrongpass' style='color:red; font-size:12px; margin-left: 3px;'><h3>Username or password is incorrect.</h3> </div> <br/>";
    }
} ?>

this is my login code

<?php
/* Database credentials. Assuming you are running MySQL
server with default setting (user 'root' with no password) */

$db_name="sistdb";
$mysql_user="root";
$mysql_pass="";
$server_name="localhost";

$con=mysqli_connect($server_name,$mysql_user,$mysql_pass,$db_name);

if(!$con) {
    echo "Connection Error ..." .mysql_connect_error();
} ?>

this is database connection

<?php
session_start();
if(!isset($_SESSION["username"])){
    header("Location: login.php");
    exit(); 
} ?>

this is session start code

<?php
require "config.php";
include("auth.php");
    $query  "SELECT user_id FROM `users` WHERE username = $_SESSION['username']";
    $result = mysqli_query($con,$query);
    $row=mysqli_fetch_assoc($result) 
    $userid = $row["user_id"];


    if(isset($_POST['submit'])) {
        $event_name=$_POST["event_name"];
        $event_description=$_POST["event_description"];
        $video_url=$_POST["video_url"];
        $image_url=$_POST["image_url"];
        $start_date=$_POST["start_date"];
        $end_date=$_POST["end_date"];
        $start_time=$_POST["start_time"];
        $end_time=$_POST["end_time"];
        $sql_query="INSERT INTO event_details ( event_name, event_description , video_url, image_url, start_date, end_date, start_time, end_time) values('$event_name','$event_description','$video_url','$image_url','$start_date','$end_date','$start_time','$end_time')";

        if(mysqli_query($con,$sql_query)) {
            header("Location: adminevents.php");
        }
        
    }   
?>

if I try to retrieve user_id from SQL by username stored in session I get

Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting '-' or identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in C:\wamp64\www\assignment\addevent.php on line 5

line 5 is where have $query = SELECT

phpMyAdmin is a front end to MySQL. It is not a server. It does not run applications. — tadman, Jan 04 '23 at 15:45
When doing a manual `INSERT` you will need to provide the foreign key values, it's just how SQL works. Nothing is figured out for you automatically. If you want that kind of functionality you need an *application layer*. — tadman, Jan 04 '23 at 15:46
i know that, i just tried to insert directly from it and it requires the user_id, I tried using $_SESSION["user_id"] but still it shows an error — Note, Jan 04 '23 at 15:47
I'm presuming this is actually a PHP question in disguise. You can help explain better by *showing your PHP code*. — tadman, Jan 04 '23 at 15:47
how can i do that? the user_id is auto-incremented in the users table — Note, Jan 04 '23 at 15:48
When you insert, you get a `LAST_INSERT_ID()`. If you're having trouble with this, it's understandable, there's a lot to pick up here before you can get anything working, but it's also a sign you're lacking good references to work from. Core PHP doesn't offer a lot to build with, so it's worth checking out frameworks to see which one you like best, and then learn one of those. They'll introduce you to the same concepts, but will allow you to get things done instead of forcing you to learn *everything* up front. — tadman, Jan 04 '23 at 15:49
If you're just getting started with PHP and want to build applications, I'd strongly recommend looking at various [development frameworks](https://www.cloudways.com/blog/best-php-frameworks/) to see if you can find one that fits your style and needs. They come in various flavours from lightweight like [Fat-Free Framework](https://fatfreeframework.com/) to far more comprehensive like [Laravel](https://laravel.com/). These give you concrete examples to work from and guidance on how to write your code and organize your project's files. — tadman, Jan 04 '23 at 15:49
Code is completely unreadable in the comments, but you can edit your question to add it. — tadman, Jan 04 '23 at 16:00
**WARNING**: When using `mysqli` you should be using [parameterized queries](https://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](https://php.net/manual/en/mysqli-stmt.bind-param.php) to add any data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](https://bobby-tables.com/). **NEVER** put `$_POST`, `$_GET` or data *of any kind* directly into a query, it can be very harmful if someone seeks to exploit your mistake. — tadman, Jan 04 '23 at 16:00
`it requires that I enter also the user_id even tho I made a relationship between the 2 tables`...well obviously, because the relationship simply defines that the user_id value in the events table must be a valid value from the users table. It doesn't tell it **which** user ID you want to associate with any specific event. You need to provide that when you insert the event. — ADyson, Jan 04 '23 at 16:21
how?? like if user with id 1 filled the form he should do it manually?? — Note, Jan 04 '23 at 16:23
`I couldn't do it I keep getting an error message.`...then please show us what you tried and what the error was...there's nothing in what you've shown which attempts to use the User ID when inserting into the events table. You also didn't tell us what the error is. We can't fix unknown errors in invisible code. — ADyson, Jan 04 '23 at 16:23
`he should do it manually`...no, I only mean in phpmyadmin that's what you would need to do. But in your PHP application you can get the ID of the logged-in user from the Session, and use it in your INSERT query. (Or, if only username is stored in the Session, you can use that username to retrieve the ID value from the database first). — ADyson, Jan 04 '23 at 16:24
P.S. As an aside, why are you using stripslashes to alter the username and password? Are passwords not allowed to contain slashes?? I don't know what benefit you think this function is giving you, especially since you're doing that without the user's knowledge too. It doesn't prevent SQL injection, if that's what you're thinking. And neither does mysqli_real_escape_string (at least, not entirely anyway) - as mentioned earlier you must use prepared statements and parameters to write your queries safely and reliably. See https://phpdelusions.net/mysqli for simple examples. — ADyson, Jan 04 '23 at 16:27
Also, please don't store passwords in plain text - that is another security risk. Learn about [password hashing](https://www.php.net/manual/en/faq.passwords.php) instead. See also [How to use PHP's password_hash to hash and verify passwords](https://stackoverflow.com/questions/30279321/how-to-use-phps-password-hash-to-hash-and-verify-passwords) — ADyson, Jan 04 '23 at 16:27
And never configure your web app to login to the database as `root`. Root can do whatever it likes, so on top of the other vulnerabilities this just leaves your database an open book for hackers. Instead create a separate user account specifically for this application which has only the permissions it actually _needs_ in order to work properly. Don't even use the root account as a shortcut during development or testing, because you need to test your account permissions as well - otherwise when you go live you might have unexpected errors relating to the user account setup. — ADyson, Jan 04 '23 at 16:28
Please bring your error handling into the 21st century too. Add `mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);` before your `mysqli_connect()` (or `new mysqli()`) command, and this will ensure that errors with your SQL queries are reported correctly to PHP automatically. That way you don't need to clutter your script with repetitive code to keep checking errors after every mysqli command (and you've even got that wrong in places, too). Also you should never be echoing error data deliberately, it can easily reveal sensitive info to attackers by accident. — ADyson, Jan 04 '23 at 16:29

score -1 · Answer 1 · answered Jan 05 '23 at 14:51

-1

the sign = is missing. should be: $query = "SELECT user_id FROM users WHERE username = $_SESSION['username']";

answered Jan 05 '23 at 14:51

Mailson Ruas

1
1

after login in, how to submit data into database with user_id of logged in user

1 Answers1