homepage Welcome to WebmasterWorld Guest from 54.167.185.110
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Splitting a form across multiple pages
Best way to keep all info together in DB
Argblat




msg:1306562
 2:00 am on Sep 12, 2005 (gmt 0)

Hi all,

I'm looking for some advice and/or best practices to accomplish the following task.

I have a web form that users will complete and submit to be saved to a database [php/mysql]. The problem is that I need to split up the rather large form into three separate pages. When the user submits the first section, the database will auto-generate a unique id for that row...

How do I then obtain that unique id from the database on the submit, in order to pass it to the next page, in order that I insert the information from page two into the same row as the information from page 1.

I hope that you all can understand my dilemna. Any help will be greatly appreciated.

Thank you in advance,
Mike

 

orion_rus




msg:1306563
 5:51 am on Sep 12, 2005 (gmt 0)

It's very hard well realisable thing, i think you should use a pear! may be you know something about it - try to visit pear.php.net and you get all your answers
Good luck to you!

R e b r a n d t




msg:1306564
 8:11 am on Sep 12, 2005 (gmt 0)

[php.net...]

omoutop




msg:1306565
 8:16 am on Sep 12, 2005 (gmt 0)

Hi mike,
I had the same dilemma...I had to submit a form splitted in to 3 steps with 3 different forms....SO:
in the first one the unique ID is generated...this ID should be the latest one since the mysql ID field is unique and auto incremented...so, bofere going to step 2, right after u have submitted the first form (u must have an intermediate page saying results ok or something like this....and a link to proceed to step 2) u must retrieve the latest ID which is actually the ID u need...and u must pass it to the next step as a variable in your url.....like:
////retrieve url//////////
$queryID = "select Max(ID) as ID from Hotels";
$resultID = mysql_query($queryID);
$rowID = mysql_fetch_assoc($resultID);

$ID = $rowID ['ID'];
/////////////////////////////////
////pass it to next form//////////
<p><strong>Please procceed to <a href="hotels2.php?name=<? echo $name?>&ID=<? echo $ID?>">STEP 2</a> </strong></p>

............in steps 2 and 3 u just update the row of the database accordingto the ID....

Hope it is clear....if u need clarfications plz post....

bomburmusicmallet




msg:1306566
 2:15 pm on Sep 12, 2005 (gmt 0)

not the greatest idea to simply get the max id in a database. there is a mysql function to do this for you:

//process query
$result = mysql_query($query);
if ($result)
{$newID = mysql_insert_id();}

then just use that $newID in your update functions to put the rest of the data into the database

hth, jenny

coopster




msg:1306567
 3:07 pm on Sep 12, 2005 (gmt 0)

Right, MAX() is not a good idea, you may get unexpected results at some point. Here is a previous discussion that is quite similar and explains why:

Getting the id of the last entered record [webmasterworld.com]

DontheCat




msg:1306568
 10:09 am on Sep 13, 2005 (gmt 0)

I have a doubt on this and I couldn't find the answer in any forum.

Assuming that several users are filling in the form at the same time, then which ID would the mysql_insertID function return? Or would it just return the ID inserted by that particular user?

Argblat




msg:1306569
 1:20 pm on Sep 13, 2005 (gmt 0)

While I haven't had a chance to test this method just yet (I will tonight), I do share the concern over simply selecting the last index AND with DonTheCat about how this method will function under heavy load and the possibility of many entries within very short time periods.

Can anyone quell this with a more in depth explanation of mysql_insert_id?

I have a doubt on this and I couldn't find the answer in any forum.

Assuming that several users are filling in the form at the same time, then which ID would the mysql_insertID function return? Or would it just return the ID inserted by that particular user?


charlier




msg:1306570
 1:41 pm on Sep 13, 2005 (gmt 0)

It should not be a problem, it is tied to the connection and each php instance will generate its own connection. To be safe use the optional LINK argument as that is sure to be different for each instance of php.

From the mysql documentation:

"The last ID that was generated is maintained in the server on a per-connection basis. This means the value the function returns to a given client is the most recent AUTO_INCREMENT value generated by that client. The value cannot be affected by other clients, even if they generate AUTO_INCREMENT values of their own. This behavior ensures that you can retrieve your own ID without concern for the activity of other clients, and without the need for locks or transactions."

For more info:
http: //www.php.net/manual/en/function.mysql-insert-id.php

Argblat




msg:1306571
 2:37 pm on Sep 14, 2005 (gmt 0)

Ok, the mysql_insert_id() Function is working perfectly and I thank you all for you input on that.

I now have a new question regarding security based on this. As you already know, I'm trying to create a form that spans across two pages. I'm using the mysql_insert_id() function to get the unique ID created from the insert on the first page in order that I can do a sql update on the second page and keep all the information for the two page form in one record in the database.

Therefore, the sql statement on page two is something like 'UPDATE SET VAR1 = $VAR1, VAR2 = $VAR2 WHERE id = $id'

Here is what I need to know,

I obviously can't use a querystring to pass the id obtained using mysql_insert_id() from page 1 to page 2. This is because anyone could change the querystring id to x and update row x in my database.

I run into the problem here of not knowing the best practice to hide this information as I pass it from part 1 to part 2 in order to make it impossible for the end user (of whatever skill level) to modify it and start screwing up my database

My initial thoughts lead me to think that I could use Posting (as opposed to GET), Session variable, or cookies.

What is the best practice/path for me to take to secure this process?

Thank you
Mike

Angelis




msg:1306572
 2:38 pm on Sep 14, 2005 (gmt 0)

Could you not use a cookie?

charlier




msg:1306573
 7:19 pm on Sep 23, 2005 (gmt 0)

If the information is not 'critical' ie would result in a big loss if someone did try to subvert your script you could just use a verification code and pass the data via GET or POST. Both are hackable but you can at least detect the hacking. To do that you could create a second hidden variable to pass with your insert id using md5. So $verify = md5($theid + $mysecret). Then when the data comes back from the second form you repeat the md5 cacluation with the returned id and your secret, if it matches the returned $verify then you know the data is valid.

However using the php session management code is much simpler if your host allows it.

chadmg




msg:1306574
 8:38 pm on Sep 23, 2005 (gmt 0)

The best method is to store the form results in a session variable and then when the user submits the last page of the form, send all of the data to the database at once. Shopping carts and checkout processes work in this manner. That way you won't get partial submissions as well. Like if I only make it through page 2 out of 3.

You may also want to unset the session variable after you send the data to the database so it doesn't submit again if the user refreshes the page or if they do the form over again.

The above method also protects against things like if someone submits the form on page 1 and goes to page 2. Then hits the back button and submits the form on page 1 again, you don't want to create a new entry in the database. Think of scenarios like this when error protecting your pages.

Argblat




msg:1306575
 3:27 pm on Oct 5, 2005 (gmt 0)

I'd like to revisit this topic since I've been working on it some more, and I think that I have come up with a solution, and would appreciate input

here's a synopsis of the problem:
I have a form that I need to split over 2 pages, but the data needs to remain as 1 row in the database. I DO want to collect partial data (i.e. I DO want page 1, even if they don't complete page 2) so Page 1 needs to be a mysql Insert, and Page 2 an Update.

My solution was to do the following:

On page 1 the user fills out the form and clicks submit.
Php inserts the user input data into the table along with the sessionID variable and a timestamp
Mysql/php returns the row # for the insert, which I then pass to page 2 of the form via querystring

On page 2 the user fills out more form data and clicks submit.
I then use the querystring id to read the sessionID variable from the db and compare it to the current sessionID variable. This way, someone can't randomly change the querystring id and start updating rows that dont' belong to them (the issue i'm trying to avoid).

Barring this description making no sense to anyone but me, I would love to know what the experts in this form think of my solution methodology.

Thank you,
Mike

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved