How to insert username into a form.

Posted: Thu Apr 13, 2017 1:33 pm

Hello, I am trying to pull the username and insert it automatically into a form inside a module. None of the solutions I have found are working. I was hoping that someone here can suggest something the will work, and possibly evaluate it for security holes. I don't know php and only hack at it - very amateurishly. Just so ya know, I have a general grasp of html, but only a very, very rudimentary hint of a grasp of php. I have pulled snippets of code from other modules, and the rest from the internet. I have got it working everywhere except the username. I have not moved on to form validation yet. This module will only be available to logged-in users. Everything works as it is but I would like to users to not have to enter their own forum username.

I realize this forum is all but dead now, but any suggestions would be appreciated. I have not found another CMS I like as much as RN so I'll stick with it until the end.

Thanks in advance.

Here is my module:

Code:

<?php


//Start RN Header Stuff





   if (!defined('MODULE_FILE')) {


      header('Location: ../../index.php');


      die();


      }





   require_once("mainfile.php");


   $module_name = basename(dirname(__FILE__));


   $pagetitle = "- $module_name";


   date_default_timezone_set("America/Chicago");





   global  $admin, $user, $sitename, $slogan, $cookie, $prefix, $db, $nukeurl, $anonymous;


   include("header.php");


?>





<!-- Begin Form -->





 <html>


 <head></head>


 <body>


      <br /><br />


      <div style='width:800px; margin:0 auto; text-align:center'>


         <p><h1>Membership Information Form</h1></p><br />


         <p><h2>Please provide as much information as you feel comfortable sharing.  <br />


               This information will not be shared with anyone and will only be viewable by Council Members</h2></p>


      </div>"


      


      <form method = "post" name="form" action = "<?php $_PHP_SELF ?>">


                  


              <table align="center" width = "400" border = "2" cellspacing = "3" 


                     cellpadding = "2" style="border-style:solid">


                  


<!-- BEGIN TRYING TO PUT USERNAME HERE   -->





                <tr>


                        <td style="font-weight:bold; width:93px">&nbsp;Forum User Name </td>


                        <td>


                     <input name = "forumname" type = "text" id="forumname" value="" style="width:279px">


                  </td>


                     </tr>





<!-- END TRYING TO PUT USERNAME HERE -->                


                


                <tr>


                        <td style="font-weight:bold; width:93px">&nbsp;First Name</td>


                        <td>


                     <input name = "firstname" type = "text" id="firstname" value="" style="width:279px">


                  </td>


                     </tr>


                  


                     <tr>


                        <td style="font-weight:bold; width:93px">&nbsp;Last Name</td>


                        <td  cellpadding = "2">


                     <input name = "lastname" type = "text" id="lastname" value="" style="width:279px"  >


                  </td>


                     </tr>


                  


                     <tr>


                        <td style="font-weight:bold; width:93px">&nbsp;Gaming Name</td>


                        <td cellpadding = "2">


                     <input name = "gamename" type = "text" id="gamename" value="" style="width:279px">


                  </td>


                     </tr>


                    <tr>


                        <td style="font-weight:bold; width:93px">&nbsp;Street Address</td>


                        <td cellpadding = "2">


                     <input name = "address" type = "text" id="address" value="" style="width:279px">


                  </td>


                     </tr>


                    <tr>


                        <td style="font-weight:bold; width:93px">&nbsp;City</td>


                        <td cellpadding = "2">


                     <input name = "city" type = "text" id="city" value="" style="width:279px">


                  </td>


                     </tr>


                    <tr>


                        <td style="font-weight:bold; width:93px; width:93px">&nbsp;State/Province</td>


                        <td cellpadding = "2">


                     <input name = "state" type = "text" id="state" value="" style="width:279px">


                  </td>


                     </tr>


                    <tr>


                        <td style="font-weight:bold; width:93px">&nbsp;Zipcode</td>


                        <td cellpadding = "2">


                     <input name = "zipcode" type = "text" id="zipcode" value="" style="width:279px">


                  </td>


                     </tr>


                    <tr>


                        <td style="font-weight:bold; width:93px">&nbsp;Country</td>


                        <td cellpadding = "2">


                     <input name = "country" type = "text" id="country" value="" style="width:279px">


                  </td>


                     </tr>


                    <tr>


                        <td style="font-weight:bold; width:93px">&nbsp;Phone</td>


                        <td cellpadding = "2">


                     <input name = "phone" type = "text" id="phone" value="" style="width:279px">


                  </td>


                     </tr>


                  


                     <tr>


                        <td style="font-weight:bold; width:93px">&nbsp;Working Email</td>


                        <td cellpadding = "2">


                     <input name = "email" type = "text" id="email" value="" style="width:279px">


                  </td>


                     </tr>


            </table>


              


<!-- Begin Testing comment field -->





   <div class="text-center">


      <table align="center" width = "400" border = "2" cellspacing = "3" cellpadding = "2" style="border-style:solid">


          <tr>


                <td style="font-weight:bold; width:193px">&nbsp;We Welcome<br />&nbsp;Your Comments</td>


            <td>   <textarea name="comments"  id= "comments" value"" cols="43" rows="15"></textarea>


            </td>


          </tr>


   </div>





<!-- End Testing comment field -->


               


              </table>              


              <table align="center" width = "400" border = "0" cellspacing = "1" cellpadding = "2" style="top:50px">


                <tr><br />


                        <td cellpadding = "2" style="text-align:center;font-weight:bold">


                           <input name = "add" type = "submit" value = "Submit"> 


                        </td>


                     </tr>


              </table>    


               </form>


</body>


</html>            





<!-- End of From -->





            


<?php





// Get db config





   include ('modules/Member_Info/include/config.php');


   


// Get username????





   if (is_user($user)) {


      $userinfo = getusrinfo($user);


      $forumname = $userinfo['forumname'];


   } else {


      $userinfo = false;


      $forumname = '';


   }


 


   if (isset($_POST['add'])){


      $forumname =$_POST["forumname"];


      $firstname =$_POST["firstname"];


      $lastname =$_POST["lastname"];


      $gamename =$_POST["gamename"];


      $address =$_POST["address"];


      $city =$_POST["city"];


      $state =$_POST["state"];


      $zipcode =$_POST["zipcode"];


      $country =$_POST["country"];


      $phone =$_POST["phone"];


      $email =$_POST["email"];


      $comments =$_POST["comments"];


   


// Create connection





   $conn = new mysqli($servername, $username, $password, $dbname);





// Insert into database





   $sql = "INSERT INTO members (forumname, firstname, lastname, gamename, address, city, state, zipcode, country, phone, email, comments) 


   VALUES ('{$forumname}', '{$firstname}', '{$lastname}', '{$gamename}', '{$address}', '{$city}', '{$state}', '{$zipcode}', '{$country}', '{$phone}', '{$email}', '{$comments}')";





// Send user to Thanks Page after successful submission





   if ($conn->query($sql) === TRUE) {    


      header ("Location: /modules.php?name=Member_Info_Thanks");


   } else {


      echo "Error: " . $sql . "<br>" . $conn->error;


   }





// End Connection





   $conn->close();


   }





// Include RN Footer





   include("footer.php");





?>

Site Admin Joined: Aug 22, 2007 Posts: 1772

I hope you doesn't use it online... This can not work on this way and it contains unfiltered variables, which allows sql-injections. This module needs a complete reconstruct.

Posted: Thu Apr 13, 2017 3:50 pm

1. If the db-table 'members' is not allready inside your RN database then move it into it. So you doesn't need a useless 2nd db-connection.

2. Create a new folder inside the modules-folder and call it what you want - maybe: members

3. Create inside the new created folder a new file called: index.php and paste this code into it:

php Code:

<?php


if (!defined('MODULE_FILE')) die('You can\'t access this file directly...');





$index = 0;


if (!defined('INDEX_FILE')) define('INDEX_FILE', true); # Set to FALSE to hide right blocks


if (defined('INDEX_FILE') AND INDEX_FILE === true) {


    # auto set right blocks for pre patch 3.1 compatibility


    $index = 1;


}


$module_name = basename(dirname(__FILE__));


if (!is_user($user)) {


    header('Location: /');


    exit;


}





date_default_timezone_set("America/Chicago");





if (!isset($op)) $op = '';


if (!isset($forumname)) $forumname = '';


if (!isset($firstname)) $firstname = '';


if (!isset($lastname)) $lastname = '';


if (!isset($gamename)) $gamename = '';


if (!isset($address)) $address = '';


if (!isset($city)) $city = '';


if (!isset($state)) $state = '';


if (!isset($zipcode)) $zipcode = '';


if (!isset($country)) $country = '';


if (!isset($phone)) $phone = '';


if (!isset($email)) $email = '';


if (!isset($comments)) $comments = '';





switch ($op) {


    default:


            form_index();


            break;


	case 'sent':


            csrf_check();


            form_sent($forumname, $firstname, $lastname, $gamename, $address, $city, $state, $zipcode, $country, $phone, $email, $comments);


            break;


}


die();





function form_index() {


    global $db, $prefix, $module_name, $user, $userinfo, $cookie;





    if (is_user($user)) {


        $userinfo = getusrinfo($user);


        $forumname = $userinfo['username'];


    } else {


        $userinfo = false;


        $forumname = '';


    }





    include_once 'header.php';


    OpenTable();





    echo '<div style="width: 800px; margin: 0 auto; text-align: center">' , PHP_EOL


        ,'	<h1>Membership Information Form</h1><br />' , PHP_EOL


        ,'	<h2>Please provide as much information as you feel comfortable sharing.<br />'


        ,'This information will not be shared with anyone and will only be viewable by Council Members</h2>' , PHP_EOL


        ,'</div>' , PHP_EOL





        ,'<br />' , PHP_EOL





        ,'<form method ="post" name="form" action = "modules.php?name=' , $module_name , '">' , PHP_EOL


        ,'<input type="hidden" name="op" value="sent" />' , PHP_EOL





        ,'	<table align="center" width="400" border="2" cellspacing="3" cellpadding="2" style="border-style:solid">' , PHP_EOL


        ,'	<tr>' , PHP_EOL


        ,'		<td style="font-weight:bold; width:93px">&nbsp;Forum User Name </td>' , PHP_EOL


        ,'		<td><input name="forumname" type = "text" id="forumname" value="' , $forumname , '" style="width:279px" /></td>' , PHP_EOL


        ,'	</tr>' , PHP_EOL


        ,'	<tr>' , PHP_EOL


        ,'		<td style="font-weight:bold; width:93px">&nbsp;First Name</td>' , PHP_EOL


        ,'		<td><input name="firstname" type="text" id="firstname" value="" style="width:279px" /></td>' , PHP_EOL


        ,'	</tr>' , PHP_EOL


        ,'	<tr>' , PHP_EOL


        ,'		<td style="font-weight:bold; width:93px">&nbsp;Last Name</td>' , PHP_EOL


        ,'		<td><input name = "lastname" type = "text" id="lastname" value="" style="width:279px" /></td>' , PHP_EOL


        ,'	</tr>' , PHP_EOL


        ,'	<tr>' , PHP_EOL


        ,'		<td style="font-weight:bold; width:93px">&nbsp;Gaming Name</td>' , PHP_EOL


        ,'		<td><input name="gamename" type="text" id="gamename" value="" style="width:279px" /></td>' , PHP_EOL


        ,'	</tr>' , PHP_EOL


        ,'	<tr>' , PHP_EOL


        ,'		<td style="font-weight:bold; width:93px">&nbsp;Street Address</td>' , PHP_EOL


        ,'		<td><input name = "address" type = "text" id="address" value="" style="width:279px" /></td>' , PHP_EOL


        ,'	</tr>' , PHP_EOL


        ,'	<tr>' , PHP_EOL


        ,'		<td style="font-weight:bold; width:93px">&nbsp;City</td>' , PHP_EOL


        ,'		<td><input name = "city" type = "text" id="city" value="" style="width:279px" /></td>' , PHP_EOL


        ,'	</tr>' , PHP_EOL


        ,'	<tr>' , PHP_EOL


        ,'		<td style="font-weight:bold; width:93px; width:93px">&nbsp;State/Province</td>' , PHP_EOL


        ,'		<td><input name = "state" type="text" id="state" value="" style="width:279px" /></td>' , PHP_EOL


        ,'	</tr>' , PHP_EOL


        ,'	<tr>' , PHP_EOL


        ,'		<td style="font-weight:bold; width:93px">&nbsp;Zipcode</td>' , PHP_EOL


        ,'		<td><input name="zipcode" type="text" id="zipcode" value="" style="width:279px" /></td>' , PHP_EOL


        ,'	</tr>' , PHP_EOL


        ,'	<tr>' , PHP_EOL


        ,'		<td style="font-weight:bold; width:93px">&nbsp;Country</td>' , PHP_EOL


        ,'		<td><input name="country" type="text" id="country" value="" style="width:279px" /></td>' , PHP_EOL


        ,'	</tr>' , PHP_EOL


        ,'	<tr>' , PHP_EOL


        ,'		<td style="font-weight:bold; width:93px">&nbsp;Phone</td>' , PHP_EOL


        ,'		<td><input name="phone" type="text" id="phone" value="" style="width:279px" /></td>' , PHP_EOL


        ,'	</tr>' , PHP_EOL


        ,'	<tr>' , PHP_EOL


        ,'		<td style="font-weight:bold; width:93px">&nbsp;Working Email</td>' , PHP_EOL


        ,'		<td><input name = "email" type = "text" id="email" value="" style="width:279px" /></td>' , PHP_EOL


        ,'	</tr>' , PHP_EOL


        ,'</table>' , PHP_EOL





        ,'<br />' , PHP_EOL





        ,'<div class="text-center">' , PHP_EOL


        ,'	<table align="center" width="400" border="2" cellspacing="3" cellpadding="2" style="border-style:solid">' , PHP_EOL


        ,'	<tr>' , PHP_EOL


        ,'		<td style="font-weight:bold; width:193px">&nbsp;We Welcome<br />&nbsp;Your Comments</td>' , PHP_EOL


        ,'		<td><textarea name="comments" id="comments" cols="43" rows="15"></textarea></td>' , PHP_EOL


        ,'	</tr>' , PHP_EOL


        ,'</table>' , PHP_EOL


        ,'</div>' , PHP_EOL





        ,'<div class="text-center" style="margin-top: 50px; font-weight: bold;">' , PHP_EOL


        ,'	<input style="cursor: pointer" name="add" type="submit" value="Submit" />' , PHP_EOL


        ,'</div>' , PHP_EOL





        ,'</form>' , PHP_EOL;





    CloseTable();


    include_once 'footer.php';


}





function form_sent($forumname, $firstname, $lastname, $gamename, $address, $city, $state, $zipcode, $country, $phone, $email, $comments) {


    global $db, $prefix;





    if ($forumname == '') {


        include_once 'header.php';


        OpenTable();


        echo '<div class="text-center">Error! - No username submitted!<br /><br />' , _GOBACK , '</div>' , PHP_EOL;


        CloseTable();


        include_once 'footer.php';


        exit;


    }





    $forumname = $db->sql_escape_string(htmlspecialchars_decode(check_html($forumname, 'nohtml'), ENT_QUOTES));


    $firstname = $db->sql_escape_string(htmlspecialchars_decode(check_html($firstname, 'nohtml'), ENT_QUOTES));


    $lastname = $db->sql_escape_string(htmlspecialchars_decode(check_html($lastname, 'nohtml'), ENT_QUOTES));


    $gamename = $db->sql_escape_string(htmlspecialchars_decode(check_html($gamename, 'nohtml'), ENT_QUOTES));


    $address = $db->sql_escape_string(htmlspecialchars_decode(check_html($address, 'nohtml'), ENT_QUOTES));


    $city = $db->sql_escape_string(htmlspecialchars_decode(check_html($city, 'nohtml'), ENT_QUOTES));


    $state = $db->sql_escape_string(htmlspecialchars_decode(check_html($state, 'nohtml'), ENT_QUOTES));


    $zipcode = $db->sql_escape_string(htmlspecialchars_decode(check_html($zipcode, 'nohtml'), ENT_QUOTES));


    $country = $db->sql_escape_string(htmlspecialchars_decode(check_html($country, 'nohtml'), ENT_QUOTES));


    $phone = $db->sql_escape_string(htmlspecialchars_decode(check_html($phone, 'nohtml'), ENT_QUOTES));


    $email = $db->sql_escape_string(htmlspecialchars_decode(check_html($email, 'nohtml'), ENT_QUOTES));


    $comments = str_replace("\r\n", '<br />', $comments);


    $comments = $db->sql_escape_string(check_html($comments, ''));





    $result = $db->sql_query('INSERT INTO `members` VALUES '."(NULL, '$forumname', '$firstname', '$lastname', '$gamename', '$address', '$city', '$state', '$zipcode', '$country', '$phone', '$email', '$comments')");





    include_once 'header.php';


    OpenTable();


    if ($result) {


        echo '<div class="text-center">Thank you!<br /><br />' , _GOBACK , '</div>' , PHP_EOL;


    } else {


        echo '<div class="text-center">Failed!<br /><br />' , _GOBACK , '</div>' , PHP_EOL;


    }


    CloseTable();


    include_once 'footer.php';





}

You doesn't posted the structur of the used db-table 'members', so I can't figure it out and you have to test it. I hope with this example you can see what is needed to pass sensitive data from your users into a database table. Without the csrf_check and without escaping the passed variables you will have a huge security risk.

Posted: Thu Apr 13, 2017 4:07 pm

neralex wrote:

1. If the db-table 'members' is not allready inside your RN database then move it into it. So you doesn't need a useless 2nd db-connection.

Never thought of that.

[qoute]2. Create a new folder inside the modules-folder and call it what you want - maybe: members[/quote]
Already did this, and the code I posted is inside index.php

Quote:

3. Create inside the new created folder a new file called: index.php and paste this code into it:

Thanks I will try this. Apprectiate the help.

Quote:

You doesn't posted the structur of the used db-table 'members', so I can't figure it out and you have to test it. I hope with this example you can see what is needed to pass sensitive data from your users into a database table. Without the csrf_check and without escaping the passed variables you will have a huge security risk.

Thanks, I will try to see what you are talking about. When I get a chance to look at what you posted.

Thanks again.

Posted: Thu Apr 13, 2017 7:13 pm

Thanks, I want to keep this as a separate database.

However, I tried it by adding the table to my RN database and got the "Failed" message.

Posted: Fri Apr 14, 2017 7:17 pm

You mentioned you didn't know my table structure so I thought I'd post it.

Quote:

--
-- Table structure for table `members`
--

CREATE TABLE IF NOT EXISTS `members` (
`id` int(3) NOT NULL AUTO_INCREMENT,
`forumname` varchar(32) NOT NULL,
`firstname` varchar(36) NOT NULL,
`lastname` varchar(36) NOT NULL,
`gamename` varchar(32) NOT NULL,
`address` varchar(36) NOT NULL,
`city` varchar(32) NOT NULL,
`state` varchar(36) NOT NULL,
`zipcode` varchar(20) NOT NULL,
`country` varchar(20) NOT NULL,
`phone` varchar(13) NOT NULL,
`email` varchar(30) NOT NULL,
`comments` varchar(300) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;

Thanks for you time neralax. However, your suggestion to put this table inside my RN database still gave me the "Failed" message and does not post the data to the db. I tried adding the call to the separate database and same result.

Posted: Sat Apr 15, 2017 3:26 am

Oops.

It seems I missed some db-fields in the function form_sent(). I made the changes in my post above.
[ Only registered users can see links on this board! Get registered or login! ]

I optimized a bit the table structure:

sql Code:

CREATE TABLE `members` (


  `id` int(10) NOT NULL,


  `forumname` varchar(60) NOT NULL,


  `firstname` varchar(60) NOT NULL,


  `lastname` varchar(60) NOT NULL,


  `gamename` varchar(60) NOT NULL,


  `address` text NOT NULL,


  `city` varchar(60) NOT NULL,


  `state` varchar(60) NOT NULL,


  `zipcode` varchar(20) NOT NULL,


  `country` varchar(20) NOT NULL,


  `phone` varchar(30) NOT NULL,


  `email` varchar(60) NOT NULL,


  `comments` text NOT NULL,


  PRIMARY KEY (`id`) 


) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1;

1. Got to phpmyadmin and klick on the left side on your used RN database

2. After that click on the 'SQL' tab in the top-menue

3. Paste this code into the box and press 'OK'.

Done.

If you should get an error, then paste the message here.

Posted: Sat Apr 15, 2017 10:01 am

No errors are posting, but still getting the "Failed" message without posting to database.

Once again I appreciate your time.

Posted: Sat Apr 15, 2017 11:52 am

You have updated the module code? If not, then copy the code from above and replace it.

Posted: Sat Apr 15, 2017 2:04 pm

Sorry not working -failed. Sent you a PM.

Posted: Sun Apr 16, 2017 8:13 am

I used the data of your PM and it works! I got: "Thank you!" Where is the problem?

Posted: Sun Apr 16, 2017 10:27 am

Hmm, I have tried it again and got "Failed" and there is no data in the database - not even from your attempt. I normally use Firefox, but when I tried it with IE I did get "Thank You", but then checked the database and nothing was inserted there. I have verified that the database contains the table "members", and has the structure you gave me. I don't know what else to do. Nor do I understand why I get the message "Failed" with Firefox, and Opera, but "Thank You" with IE (though nothing is stored in db).

Thanks again for your time.

Posted: Sun Apr 16, 2017 1:54 pm

Maybe you checked the wrong database?

I'm using also firefox. The issue with the browser could be a caching issue but not sure. Anyway.

Activate the error reporting for PHP and database errors in rnconfig.php and check what is happen, when you enter the form.

Posted: Sun Apr 16, 2017 2:51 pm

Quote:

April 16, 2017, 3:47 pm File: /home/doulos/public_html/ravennuke/db/mysqli.php - Line: 201
Code: 1048 - Message: Column 'id' cannot be null
SQL was: INSERT INTO `members` VALUES (NULL, 'testing', '', '', '', '', '', '', '', '', '', '', '')

I tried removing NULL since it wasn't in the original one I post here that did insert to the db fine, but got this error..

Quote:

April 16, 2017, 3:50 pm File: /home/doulos/public_html/ravennuke/db/mysqli.php - Line: 201
Code: 1136 - Message: Column count doesn't match value count at row 1
SQL was: INSERT INTO `members` VALUES ('testing', '', '', '', '', '', '', '', '', '', '', '')

Posted: Sun Apr 16, 2017 3:10 pm

Ok...NULL is important, so change it back.
Open phpmyadmin, click on your RN database and then paste this in the 'SQL' tab:

sql Code:

ALTER TABLE `members`


  ADD PRIMARY KEY (`id`);

Press OK and try the form again.

Posted: Mon Apr 17, 2017 4:43 am

I already change the id column to a primary key with auto increment, but I had to go to work before I could add back in NULL.

That did it. Thank you, thank you, thank you.

Posted: Mon Oct 16, 2017 12:12 am

Is there a way to put a check to see if the user is an admin and if so also show a search bar? I have this working - sort of - by making the search portion into a new admin-only module, but this doesn't seem the most efficient way of doing this. I do not want the regular user to be able to search this database as it will include confidential information about other users.

Example: regular user enters module fills in the form and upon submission enters data into db.
user logged in as an admin enters module and can enter data, or search the db.

I have been trying to find examples of this in other modules, but have had no luck so far. For the most part I am a cut and paste kind of guy without the time to learn all this from scratch.

Posted: Mon Oct 16, 2017 2:29 am

php Code:

if (is_admin($admin)) {


    #php stuff here


}