It's very hard well realisable thing, i think you should use a pear! may be you know something about it - try to visit pear.php.net and you get all your answers
Good luck to you!

[php.net...]

Hi mike,
I had the same dilemma...I had to submit a form splitted in to 3 steps with 3 different forms....SO:
in the first one the unique ID is generated...this ID should be the latest one since the mysql ID field is unique and auto incremented...so, bofere going to step 2, right after u have submitted the first form (u must have an intermediate page saying results ok or something like this....and a link to proceed to step 2) u must retrieve the latest ID which is actually the ID u need...and u must pass it to the next step as a variable in your url.....like:
////retrieve url//////////
$queryID = "select Max(ID) as ID from Hotels";
$resultID = mysql_query($queryID);
$rowID = mysql_fetch_assoc($resultID);

$ID = $rowID ['ID'];
/////////////////////////////////
////pass it to next form//////////
<p><strong>Please procceed to <a href="hotels2.php?name=<? echo $name?>&ID=<? echo $ID?>">STEP 2</a> </strong></p>

............in steps 2 and 3 u just update the row of the database accordingto the ID....

Hope it is clear....if u need clarfications plz post....

not the greatest idea to simply get the max id in a database. there is a mysql function to do this for you:

//process query
$result = mysql_query($query);
if ($result)
{$newID = mysql_insert_id();}

then just use that $newID in your update functions to put the rest of the data into the database

hth, jenny

Right, MAX() is not a good idea, you may get unexpected results at some point. Here is a previous discussion that is quite similar and explains why:

Getting the id of the last entered record [webmasterworld.com]

I have a doubt on this and I couldn't find the answer in any forum.

Assuming that several users are filling in the form at the same time, then which ID would the mysql_insertID function return? Or would it just return the ID inserted by that particular user?

While I haven't had a chance to test this method just yet (I will tonight), I do share the concern over simply selecting the last index AND with DonTheCat about how this method will function under heavy load and the possibility of many entries within very short time periods.

Can anyone quell this with a more in depth explanation of mysql_insert_id?

I have a doubt on this and I couldn't find the answer in any forum.

Assuming that several users are filling in the form at the same time, then which ID would the mysql_insertID function return? Or would it just return the ID inserted by that particular user?

It should not be a problem, it is tied to the connection and each php instance will generate its own connection. To be safe use the optional LINK argument as that is sure to be different for each instance of php.

From the mysql documentation:

"The last ID that was generated is maintained in the server on a per-connection basis. This means the value the function returns to a given client is the most recent AUTO_INCREMENT value generated by that client. The value cannot be affected by other clients, even if they generate AUTO_INCREMENT values of their own. This behavior ensures that you can retrieve your own ID without concern for the activity of other clients, and without the need for locks or transactions."

For more info:
http: //www.php.net/manual/en/function.mysql-insert-id.php

Ok, the mysql_insert_id() Function is working perfectly and I thank you all for you input on that.

I now have a new question regarding security based on this. As you already know, I'm trying to create a form that spans across two pages. I'm using the mysql_insert_id() function to get the unique ID created from the insert on the first page in order that I can do a sql update on the second page and keep all the information for the two page form in one record in the database.

Therefore, the sql statement on page two is something like 'UPDATE SET VAR1 = $VAR1, VAR2 = $VAR2 WHERE id = $id'

Here is what I need to know,

I obviously can't use a querystring to pass the id obtained using mysql_insert_id() from page 1 to page 2. This is because anyone could change the querystring id to x and update row x in my database.

I run into the problem here of not knowing the best practice to hide this information as I pass it from part 1 to part 2 in order to make it impossible for the end user (of whatever skill level) to modify it and start screwing up my database

My initial thoughts lead me to think that I could use Posting (as opposed to GET), Session variable, or cookies.

What is the best practice/path for me to take to secure this process?

Thank you
Mike

Could you not use a cookie?

If the information is not 'critical' ie would result in a big loss if someone did try to subvert your script you could just use a verification code and pass the data via GET or POST. Both are hackable but you can at least detect the hacking. To do that you could create a second hidden variable to pass with your insert id using md5. So $verify = md5($theid + $mysecret). Then when the data comes back from the second form you repeat the md5 cacluation with the returned id and your secret, if it matches the returned $verify then you know the data is valid.

However using the php session management code is much simpler if your host allows it.

The best method is to store the form results in a session variable and then when the user submits the last page of the form, send all of the data to the database at once. Shopping carts and checkout processes work in this manner. That way you won't get partial submissions as well. Like if I only make it through page 2 out of 3.

You may also want to unset the session variable after you send the data to the database so it doesn't submit again if the user refreshes the page or if they do the form over again.

The above method also protects against things like if someone submits the form on page 1 and goes to page 2. Then hits the back button and submits the form on page 1 again, you don't want to create a new entry in the database. Think of scenarios like this when error protecting your pages.

I'd like to revisit this topic since I've been working on it some more, and I think that I have come up with a solution, and would appreciate input

here's a synopsis of the problem:
I have a form that I need to split over 2 pages, but the data needs to remain as 1 row in the database. I DO want to collect partial data (i.e. I DO want page 1, even if they don't complete page 2) so Page 1 needs to be a mysql Insert, and Page 2 an Update.

My solution was to do the following:

On page 1 the user fills out the form and clicks submit.
Php inserts the user input data into the table along with the sessionID variable and a timestamp
Mysql/php returns the row # for the insert, which I then pass to page 2 of the form via querystring

On page 2 the user fills out more form data and clicks submit.
I then use the querystring id to read the sessionID variable from the db and compare it to the current sessionID variable. This way, someone can't randomly change the querystring id and start updating rows that dont' belong to them (the issue i'm trying to avoid).

Barring this description making no sense to anyone but me, I would love to know what the experts in this form think of my solution methodology.

Thank you,
Mike