How do I identify which users did the feedback as I have two different tables. I want to insert my signup id as a foreign key under my feedback table.
My two tables
1.signup
2.feedback
signup
signup_id as a primary key
Username
Password
feedback
feedback_id as a primary key
signup_id as a foreign key
category
feedback text
rating
My Signup Code
<?php
include 'config.php';
if (isset($_POST['signup'])) {
$email = $_POST['email'];
$username = $_POST['username'];
$password = md5($_POST['password']);
$cpassword = md5($_POST['confirmpassword']);
if ($password == $cpassword) {
$sql = "INSERT INTO signup(email,username,password)VALUES('$email','$username','$password')";
$result = mysqli_query($conn, $sql);
if ($result) {
header("location: feedback.php");
}
}
}
My Feedback Code
<?php
include "config.php";
if(isset($_POST['submit'])){
$category = $_POST['category'];
$rating = $_POST['rating'];
$feedbacktext = $_POST['feedback'];
$sql = "INSERT INTO feedback(category,rating,feedbacktext)VALUES('$category','$rating','$feedbacktext')";
$result = mysqli_query($conn,$sql);
}
?>
CodePudding user response:
There are some issues with your code that you should address, namely SQL injection and incorrect password hashing using MD5
One method of using the last insert id from the signup routine would be to assign it to a session variable. As long as any pages visited after the signup also maintain that session the ID will be available in that session variable. You could pass it in a querystring but that is ropey.
I tried to address the issues mentioned with the following - Prepared statements replace the vulnerable sql commands and the password is hashed using password_hash
signup
<?php
# start a session to save the user id
session_start();
# we are only interested in proceeding if ALL these POST variables are present!
if( isset(
$_POST['email'],
$_POST['username'],
$_POST['password'],
$_POST['confirmpassword']
)) {
include 'config.php';
$email = $_POST['email'];
$username = $_POST['username'];
# never use MD5 for password hashing. It is broken and not secure/reliable.
# Use password_hash & password_verify!
$hash = password_hash( $_POST['password'], PASSWORD_DEFAULT );
if( $_POST['password'] == $_POST['confirmpassword'] ) {
# mitigate SQL injection by using a prepared statement
$sql = "INSERT INTO `signup`( `email`, `username`, `password`) VALUES ( ?, ?, ? )";
$stmt = $conn->prepare( $sql );
$stmt->bind_param('sss', $email, $username, $hash );
$stmt->execute();
# save the insert id as a session variable to use after redirect.
# this ensures the id is available when the next insert statement occurs
# so long as the session is maintained on all pages following this.
$_SESSION['uid']=$stmt->insert_id;
$stmt->close();
exit( header("Location: feedback.php") );
}
}
?>
Feedback
<?php
session_start();
#again, only proceed if ALL required POST vars are present, not just the submit button!
if( isset(
$_POST['category'],
$_POST['rating'],
$_POST['feedback'],
$_SESSION['uid']
)){
include "config.php";
# create the basic sql with placeholders for the prepared statement bound parameters.
$sql = "INSERT INTO `feedback` ( `signup_id`, `category`, `rating`, `feedbacktext` ) VALUES ( ?, ?, ?, ? )";
# create the statement, bind the vars and execute...
$stmt = $conn->prepare( $sql );
$stmt->bind_param('ssss', $_SESSION['uid'], $_POST['category'], $_POST['rating'], $_POST['feedback'] );
$stmt->execute();
$stmt->close();
# now what?....
}
?>