Shaani
(Aziz Zee)
September 11, 2012, 8:02am
1
public function actionSavesearch()
{
$searchresult = Yii::app()->db->createCommand()->insert('usersearch',array(
'userid'=>$_SESSION['UserID'],
'queryName'=>$_GET['txtName'],
'queryString'=>$_SESSION['QueryString'],
));
$this->redirect($_SESSION['QueryString']);
}
<form id="SaveSearchForm" action="<?php echo Yii::app()->createUrl('site/savesearch'); ?>" onsubmit="return ValidateThisForm();">
<div class="form" style="padding:0px 0px 0px 25px;width:540px;">
<div class="errordiv" id="nameError" style="display:none;padding:0px;">Name address already exists.</div>
<div class="enquiry-text">Search Name</div>
<div class="enquiry-input-area"><?php echo CHtml::textField('txtName', '', array('class'=>"enquiry-input", 'id'=>"txtName")); ?></div>
<div class="enquiry-clear" style="padding-bottom:24px;"></div>
<div class="enquiry-text"> </div>
<?php echo CHtml::imageButton(Yii::app()->request->baseUrl . '/images/submit.gif', array('title'=>"Save my search")); ?>
</div>
</form>
on clicking save search 21 rows are inserted in usersearch table with NULLS in userId column and queryString column. queryName column gets correct entry
Are you sure that $_SESSION[‘UserID’] and $_SESSION[‘QueryString’] are defined?
Shaani
(Aziz Zee)
September 11, 2012, 8:28am
3
$_SESSION[‘QueryString’] gets defined in search view if the user is logged in otherwise the user is directed to login page
<?php if(Yii::app()->user->isGuest==false)
{
$_SESSION["QueryString"] = $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; ?>
<a class="services" href="<?php echo Yii::app()->createUrl('site/displaysavesearch'); ?>" title="Save your search"><img src="<?php echo Yii::app()->request->baseUrl; ?>/images/save_searches.png" alt="Save your search" /><span style="font-size: 11px; position: relative; top:-3px; margin-left:5px;">Save This Listing</span></a>
<?php }
else
{
$searchurl = end(split('/', $_SERVER['REQUEST_URI']));
$_SESSION["Search"] = $searchurl; ?>
<a href="<?php echo Yii::app()->createUrl('site/login'); ?>" title="Save your search"><img src="<?php echo Yii::app()->request->baseUrl; ?>/images/save_searches.png" alt="Save your search" /><span style="font-size: 11px; position: relative; top:-3px; margin-left:5px;">Save This Listing</span></a>
<?php } ?>
and $_SESSION[‘UserID’] gets defined when the user logs in. In actionLogin :
if(isset($_POST['LoginForm']))
{
$model->attributes = $_POST['LoginForm'];
if($model->validate() && $model->login()){
$query = yii::app()->db->createcommand()->select('userregistration.*')
->from('userregistration')
->where("email='".$_POST[LoginForm][email]."' and password='".$_POST[LoginForm][password]."'")
->query();
foreach($query as $result)
$_SESSION["UserdID"] = $result['id'];
if(isset($_SESSION["Search"]) && $_SESSION["Search"]!= null){
$this->redirect(array($_SESSION["Search"]));
}
else $this->redirect(Yii::app()->user->returnUrl);
}
}
Shaani
(Aziz Zee)
September 11, 2012, 8:32am
4
->where("email='".$_POST[LoginForm][email]."' and password='".$_POST[LoginForm][password]."'")
Is $_POST[LoginForm][email] incorrect syntax ?
$model=new LoginForm('login');
if(isset($_POST['LoginForm']))
{
Keith
(Kburton)
September 11, 2012, 8:51am
5
Wow, you’ve got a wide open SQL injection vulnerability there, unless the user name and password are thoroughly restricted in the model. Look into using parameterized queries before you worry about anything else.
Also, the syntax is technically incorrect and will cause PHP errors depending on how your PHP is configured. You should use strings to access the POST array, such as $_POST[‘LoginForm’].
Edit:
For your information, setting up a parameterized query might look something like this:
$query = yii::app()->db->createcommand()
->select('userregistration.*')
->from('userregistration')
->where('email=:email and password=:password')
->params(array(
':email'=>$_POST['LoginForm']['email'],
':password'=>$_POST['LoginForm']['password'],
))
->query();
Shaani
(Aziz Zee)
September 12, 2012, 9:18am
6
Keith:
Wow, you’ve got a wide open SQL injection vulnerability there, unless the user name and password are thoroughly restricted in the model. Look into using parameterized queries before you worry about anything else.
Also, the syntax is technically incorrect and will cause PHP errors depending on how your PHP is configured. You should use strings to access the POST array, such as $_POST[‘LoginForm’].
Edit:
For your information, setting up a parameterized query might look something like this:
$query = yii::app()->db->createcommand()
->select('userregistration.*')
->from('userregistration')
->where('email=:email and password=:password')
->params(array(
':email'=>$_POST['LoginForm']['email'],
':password'=>$_POST['LoginForm']['password'],
))
->query();
I’m getting this error on login
CDbCommand and its behaviors do not have a method or closure named "params".
Keith
(Kburton)
September 12, 2012, 9:25am
7
My mistake, params is a property.
You can pass parameters in as the single argument to query():
$query = Yii::app()->db->createCommand()
->select('userregistration.*')
->from('userregistration')
->where('email=:email and password=:password')
->query(array(
':email'=>$_POST['LoginForm']['email'],
':password'=>$_POST['LoginForm']['password'],
));
Slightly cleaner:
$query = Yii::app()->db->createCommand()
->select('userregistration.*')
->from('userregistration')
->where('email=:email and password=:password');
$params = array(
':email'=>$_POST['LoginForm']['email'],
':password'=>$_POST['LoginForm']['password'],
);
$query->query($params);
or:
$query = Yii::app()->db->createCommand()
->select('userregistration.*')
->from('userregistration')
->where('email=:email and password=:password');
$query->params = array(
':email'=>$_POST['LoginForm']['email'],
':password'=>$_POST['LoginForm']['password'],
);
$query->query();