So I am fairly new to php I have some php code that confirms a user has been added into a group and then submits their information into the database but it doesn't seem to be adding all the information
<?php
/* Verifies member being added
*/
require 'db.php';
session_start();
// Make sure join code and email aren't empty
if(isset($_GET['joincode']) && !empty($_GET['joincode']) AND isset($_GET['memberemail']) && !empty($_GET['memberemail']))
{
$joincode = $link->escape_string($_GET['joincode']);
$memberemail = $link->escape_string($_GET['memberemail']);
// Select user with matching email
$result = $link->query("SELECT * FROM logins WHERE Email='$memberemail'");
if ( $result->num_rows !==1 )
{
$_SESSION['message'] = "You need to create an account or the URL is invalid!";
header("location: error.php");
}
else {
$_SESSION['message'] = "You have been added!";
while ($id = $result->fetch_assoc()){
$id['unique_id'];
}
$leagueinfo = $link->query("SELECT * FROM leagues WHERE joincode='$joincode'");
$info = $leagueinfo->fetch_assoc();
$info['league_id'];
$info['league_name'];
$info['start_date'];
$info['end_date'];
$sql = "INSERT INTO leagues (unique_id, league_id, league_name, role, start_date, end_date, joincode) "
. "VALUES ('".$id['unique_id']."','".$info['league_id']."','".$info['league_name']."','MEMBER',
'".$info['start_date']."','".$info['end_date']."','".$joincode."')";
mysqli_query($link,$sql);
// header("location: success.php");
}
}
else {
$_SESSION['message'] = "Invalid parameters provided for account verification!";
header("location: error.php");
}
?>
I've changed the names of the different queries and it's now pulling all information except for the unique_id which echoes out correctly but isn't being added into the database.
You are overwriting your $row variable when you fetch a result from the $leagueinfo query.
You should use different names for these result sets.
Also note that this is a very strange way to get a result set:
# Why are you using $row = $row = ... ?
while ($row = $row = $result->fetch_assoc()){
$row['unique_id'];
}
The line in the loop does not do anything and you you will always end up with $row containing the results of the last iteration of the loop.
It would make more sense to check if the number of rows is 1 and throw an error if it is not. Then you can simply fetch 1 row without using a loop:
if ($result->num_rows !== 1) {
# Handle error for example by throwing an exception
}
# You need an else if you don't return from a method or throw an exception
$row = $result->fetch_assoc();
You also have an sql injection problem: You are escaping the values for the SELECT statements, but not for the INSERT. I would recommend using prepared statements everywhere instead of using escaping.