Home > Enterprise >  How to insert my primary key under my signup table into my feedback table as a foreign key
How to insert my primary key under my signup table into my feedback table as a foreign key

Time:08-14

How do I identify which users did the feedback as I have two different tables. I want to insert my signup id as a foreign key under my feedback table.

My two tables

1.signup

2.feedback

signup

signup_id as a primary key

Username

Password

feedback

feedback_id as a primary key

signup_id as a foreign key

category

feedback text

rating 

My Signup Code

<?php
include 'config.php';
if (isset($_POST['signup'])) {
    $email = $_POST['email'];
    $username = $_POST['username'];
    $password = md5($_POST['password']);
    $cpassword = md5($_POST['confirmpassword']);

    if ($password == $cpassword) {
        $sql = "INSERT INTO signup(email,username,password)VALUES('$email','$username','$password')";
        $result = mysqli_query($conn, $sql);
        if ($result) {
            header("location: feedback.php");
        }
    }
}

My Feedback Code

<?php
include "config.php";
if(isset($_POST['submit'])){
    $category = $_POST['category'];
    $rating = $_POST['rating'];
    $feedbacktext = $_POST['feedback'];

    $sql = "INSERT INTO feedback(category,rating,feedbacktext)VALUES('$category','$rating','$feedbacktext')";
    $result = mysqli_query($conn,$sql);
}
?>

CodePudding user response:

There are some issues with your code that you should address, namely SQL injection and incorrect password hashing using MD5

One method of using the last insert id from the signup routine would be to assign it to a session variable. As long as any pages visited after the signup also maintain that session the ID will be available in that session variable. You could pass it in a querystring but that is ropey.

I tried to address the issues mentioned with the following - Prepared statements replace the vulnerable sql commands and the password is hashed using password_hash

signup

<?php
    # start a session to save the user id
    session_start();

    # we are only interested in proceeding if ALL these POST variables are present!
    if( isset(
        $_POST['email'],
        $_POST['username'],
        $_POST['password'],
        $_POST['confirmpassword']
    )) {

        include 'config.php';
        
        $email = $_POST['email'];
        $username = $_POST['username'];
        
        # never use MD5 for password hashing. It is broken and not secure/reliable.
        # Use password_hash & password_verify!
        $hash = password_hash( $_POST['password'], PASSWORD_DEFAULT );


        if( $_POST['password'] == $_POST['confirmpassword'] ) {
            
            # mitigate SQL injection by using a prepared statement
            $sql = "INSERT INTO `signup`( `email`, `username`, `password`) VALUES ( ?, ?, ? )";
            
            $stmt = $conn->prepare( $sql );
            $stmt->bind_param('sss', $email, $username, $hash );
            $stmt->execute();
            
            # save the insert id as a session variable to use after redirect.
            # this ensures the id is available when the next insert statement occurs
            # so long as the session is maintained on all pages following this.
            $_SESSION['uid']=$stmt->insert_id;
            $stmt->close();
            
            
            exit( header("Location: feedback.php") );
        }
    }
?>

Feedback

<?php

    session_start();
    
    #again, only proceed if ALL required POST vars are present, not just the submit button!
    if( isset(
        $_POST['category'],
        $_POST['rating'],
        $_POST['feedback'],
        $_SESSION['uid']
    )){
        include "config.php";
        
        # create the basic sql with placeholders for the prepared statement bound parameters.
        $sql = "INSERT INTO `feedback` ( `signup_id`, `category`, `rating`, `feedbacktext` ) VALUES ( ?, ?, ?, ? )";
        # create the statement, bind the vars and execute...
        $stmt = $conn->prepare( $sql );
        $stmt->bind_param('ssss', $_SESSION['uid'], $_POST['category'], $_POST['rating'], $_POST['feedback'] );
        $stmt->execute();
        $stmt->close();
        
        # now what?....
    }
?>
  • Related