How do I validate my uid with the current session's uid in this code. This is the page shown to users after they login to the website. Here they can register for events using their UserId. So how do I validate that?
Code:
$error = array();
if (isset($_POST['uid'], $_POST['eventList']))
{
if (empty($_POST['uid']))
$error[] = 'Please Enter a name';
else
{
$query = "INSERT INTO event (Memberid, events) VALUES (?, ?)";
if ($stmt = mysqli_prepare($dbc, $query))
{
mysqli_stmt_bind_param($stmt, 'is', $_POST['uid'], $_POST['eventList']);
mysqli_stmt_execute($stmt);
mysqli_stmt_close($stmt);
echo 'Success';
}
}
}
This is the List contents
Event Name: <select style="width:200px;" name="eventList" tabindex="5">
<form action="page.php" method=POST>
User ID: <input type="text" name="uid" id="uid"><br
<option value="select">Select Event</option>
<optgroup label="Specials">
<option value="Vogue">Vogue</option>
<option value="Raddrock">Raddrock</option>
<option value="Razzmatazz">Razzmatazz</option>
</optgroup>
</select><br>
<input type="submit" value="register">
</form>
I suppose the database query is executed twice: Once when the page is loaded with the empty form, and then a second time when the form is actually posted with data.
Solution: Only execute the database query after you escaped the data values and only after the form was posted.
The obvious answer is that it is being run twice. Is this in the same file? If so it is running the script when it is first loaded and then again when you submit it. And it doesn't look like you have the query enclosed in anything to keep it from being run twice. You need to check to see if the Post has taken place.