Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>Sending the <code>userid</code> via a hidden input field in a form is a HUGE security threat. Anybody can change that value with e.g. Chrome's inspector or FireBug. When someone log's in; you must store at least their user_id in a session. You can also store more info in the session so that you don't have to query the database on every request to e.g. show the logged-in user's username somewhere on the page.</p> <p>I don't know how you handle log-ins at the moment, and I don't know how <code>$loggedInUser</code> is populated, but it should be a session variable, e.g. <code>$_SESSION['user']['id']</code>. That way you always know who the user is without having to send the data via a form; that is a real no-go.</p> <p>Make sure to have <code>session_start()</code> at the top of each page, and ideally you'd use templates and you only have to add <code>session_start()</code> to the top of <code>index.php</code>.</p> <p>And </p> <pre><code>$sql= " INSERT INTO stories (author, author_id, story_name, story) VALUES ('$author', '$author_id','$story_name', '$story') "; </code></pre> <p>Should at least be</p> <pre><code>$sql= " INSERT INTO stories (author, author_id, story_name, story) VALUES ('". $author ."', '". $author_id ."', '". $story_name ."', '". $story ."') "; </code></pre> <p>And I would personally recommend:</p> <pre><code>$q = " INSERT INTO stories SET author_id = ". $_SESSION['user']['id'] ." # This is an integer (I assume) so don't use apostrophe's , story_name = '". mysql_real_escape_string($_POST['story_name']) ."' , story = '". mysql_real_escape_string($_POST['story']) ."' "; </code></pre> <p>Remove the field <code>author</code> from the table. Just use the <code>author_id</code> for table referencing, otherwise you're going to store duplicate data and when someone changes their author name, the author name in the stories is outdates/incorrect/obsolete.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload