0

I have a page which basically allows an admin user to create manager user types (basically a register function. So when the values are submitted, they are stored into the DB, very very basic stuff. However, I have a hidden variable type..reasons are I have 3 different user levels and I have declared they identification as an integer (e.g. 7 = manager, 8 =user etc.)

Can someone help me out with how to correctly pass this hidden value so it stores in the database...

Here is my form:

<form id="userreg" name="userreg" method="post" action="adduser-process.php"> 
<label>Full Name:</label> <input name="fullname" size="40" id="fullname" value="<?php if (isset($_POST['fullname'])); ?>"/>
    <br />
    <label>Username:</label> <input name="username" size="40" id="username" value="<?php if (isset($_POST['username'])); ?>"/>       <br />
    <label>Password:</label> <input name="password" size="40" id="password" value="<?php if (isset($_POST['password'])); ?>"/>        <br />
    <label>Email Address:</label> <input name="emailaddress" size="40" id="emailaddress" value="<?php if (isset($_POST['emailaddress'])); ?>"/> 
    <br />
    <input name="userlevel" type="hidden" size="1" id="userlevel" value="<?php $_POST[5]; ?>" /> <br />
    <input value="Add User" class="addbtn" type="submit" /> 
    </form></div>

Next, here is the script that runs the query:

    <?php 

require_once "config.php";


 $fullname = $_POST['fullname'];
 $username = $_POST['username'];
 $password = $_POST['password'];
 $emailaddress = $_POST['emailaddress'];
 $userlevel = $_POST[5];


 $sql = "INSERT INTO users_tb VALUES('".$user_id."','".$fullname."','".$username."',MD5('".$password."'),'".$emailaddress."','".$userlevel."')";
 $result = mysql_query($sql, $connection)
  or die("MySQL Error: ".mysql_error());

 header("Location: administratorfrontview.php");
 exit();
 ?>

I'm basically trying to pass the hidden typem with a constant value of '5' just for this form, as it will not be changed...also while im here, for some reason, the 'fullname' is not stored in the DB either!!?? WTH?? all other fields are processed fine. Any help is much appreciated! Thank you.

Improve this question
5
  • 4
    You really need to read up on SQL injection. Someone could easily compromise your website based on your code. Google "php sql injection". Commented Mar 12, 2010 at 19:55
  • Yes I know, I am going to be using JavaScript for validation, but I'm editing locally and trying to get the core part working first. But thanks anyway. Commented Mar 12, 2010 at 19:58
  • 4
    I would have defended you against the ol' "Read up on sql injection before you use this code" comment, until you said you were going to use javascript to validate. Please do as the man says. Commented Mar 12, 2010 at 20:03
  • I don't mean to nag, but I'd rather be a PITA than have you do this wrong. To be clear, Javascript validation is not foolproof. Someone with JS turned off could bypass it. In addition, that has nothing to do with this: Posts can be made from anywhere. Use PDO instead of mysql_ statements. Commented Mar 12, 2010 at 20:30
  • Ok Isee, I am an absolute novice, but I will certainly be looking into SQL injection to fix this issue, thanks for the adivce Commented Mar 13, 2010 at 17:57

2 Answers 2

Reset to default
3

Two things. One, $userlevel should equal $_POST['userlevel'] not 5 as POST data isn't always in that order. Two, your insert statement should be preceded with the column names (to prevent any data from going in the wrong order).

$sql = "INSERT INFO users_tb (id, name, username, password, email, userlevel) ".
       "('".$user_id."','".$fullname."','".$username."',MD5('".$password."'),'".
       $emailaddress."','".$userlevel."')";
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks for this, I now have the data being stored in the correct columns, but I still cannot get the user level to be stored... I have <?php echo $_POST[5]; ?> as the value of the hidden field, but its just storing it as '0'!?
Well, what is being POSTed before this? Do you have another page putting POSTing data? If not, it will prob. come up as blank. And if your database field is an INTEGER and NOT NULL, then it will default to 0. I suggest finding something other than $_POST[5] to pass the user-level to the page (store it in a $_SESSION variable).
2

Your PHP for outputting the value is wrong. Use:

<?= $_POST[5]; ?>

or

<?php echo $_POST[5]; ?>
Improve this answer

2 Comments

Don't forget to enable short_open_tags in your php.ini when using <?=$_POST[5] ?>.
The value of 5 is still not being stored in the database. I am using this one: <?php echo $_POST[5]; ?>

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.