seating overwrite

[lee2010]

hi all, i have written a seating plan page for my website which allows users to click on a seat and that seat is then allocated to there username, however theres nothing stopping a user changing the URL to a seat thats been taken and "taking" that seat from someone else.

 

heres my code for my reserve_seat.php

 

<?PHP
session_start();
/* get user id */
$user_id = $_SESSION['username'];

/* get the seat number */
$seat_id = $_GET['seat'];

/* connect to data base */
require ('./secure/connect.php');


/* create query */
$query = "UPDATE seats_table set taken = FALSE, user_id = '0' WHERE user_id = '$user_id'";
$query2 = "UPDATE seats_table set taken = TRUE, user_id = '$user_id'  WHERE id = '$seat_id'";
/* $query3 = "UPDATE users set signed_up = '3' WHERE username = '$user_id'"; */


/* execute the query */
$result = mysql_query($query);
$result2 = mysql_query($query2);
/* $result3 = mysql_query($query3); */


/* advise user their seat has been reserved */
include 'seating.php';

?>

 

so if a user reserves seat 28 the url is http://localhost/reserve_seat.php?seat=26, but theres nothing stopping another user typing this url and "stealing" this seat

 

i need some kind of IF statement before the sql queries that checks to see if the seats "taken" column is 1 or 0 bearing in mind there is 49 seats but im lost at how to write it. any help would be great

 

Lee

[denno020]

<?PHP
session_start();
/* get user id */
$user_id = $_SESSION['username'];

/* get the seat number */
$seat_id = $_GET['seat'];

//NEW CODE STARTS HERE

$sqlCommand = "SELECT taken FROM seats_table WHERE seat_id = $seat_id";
$query = mysql_query($sqlCommand, $myConnection) or die (mysql_error());
while($row = mysql_fetch_array($query)){
$taken = $row["taken"];
}
mysql_free_result($query);

//Check if seat is taken
if($taken == 1){
echo "That seat is taken, please go back and select another";
exit();		//will stop processing the rest of the script, so nothing else will be shown.
}

//NEW CODE ENDS HERE

/* connect to data base */
require ('./secure/connect.php');


/* create query */
$query = "UPDATE seats_table set taken = FALSE, user_id = '0' WHERE user_id = '$user_id'";
$query2 = "UPDATE seats_table set taken = TRUE, user_id = '$user_id'  WHERE id = '$seat_id'";
/* $query3 = "UPDATE users set signed_up = '3' WHERE username = '$user_id'"; */


/* execute the query */
$result = mysql_query($query);
$result2 = mysql_query($query2);
/* $result3 = mysql_query($query3); */


/* advise user their seat has been reserved */
include 'seating.php';

?>

 

That's something I've just whipped up for you. You can see where I've added code. I haven't tested it, so there might be some silly errors in there, but nothing that you won't be able to figure out .

 

Hopefully that helps.

 

Denno

[Psycho]

So, a user can only have one seat? That would seem to be the case based upon your code. Oh well, denno020 has the right idea, but I think the below would be more efficient. Plus that code will not work as written sice it is trying to run queries before connecting to the DB. I also added code to prevent sql injection

 

<?php
session_start();

/* connect to data base */
require ('./secure/connect.php');

/* get user id */
$user_id = mysql_real_escape_string(trim($_SESSION['username']));
/* get the seat number */
$seat_id = mysql_real_escape_string(trim($_GET['seat']));

//Check if seat is already taken
$query = "SELECT taken FROM seats_table WHERE seat_id = $seat_id AND taken = TRUE";
$result = mysql_query($query, $myConnection) or die (mysql_error());

//Check if seat is taken
if(mysql_num_rows($result)>0)
{
    echo "That seat is taken, please go back and select another";
exit();
    //Could also do a header to redirect to appropritate page
}

/* create query */
$query = "UPDATE seats_table set taken = FALSE, user_id = '0' WHERE user_id = '$user_id'";
$result = mysql_query($query) or die (mysql_error());
$query = "UPDATE seats_table set taken = TRUE, user_id = '$user_id'  WHERE id = '$seat_id'";
$result = mysql_query($query) or die (mysql_error());
/* $query3 = "UPDATE users set signed_up = '3' WHERE username = '$user_id'"; */
/* $result3 = mysql_query($query3); */

/* advise user their seat has been reserved */
include 'seating.php';

?>

 

[denno020]

So, a user can only have one seat? That would seem to be the case based upon your code. Oh well, denno020 has the right idea, but I think the below would be more efficient. Plus that code will not work as written sice it is trying to run queries before connecting to the DB. I also added code to prevent sql injection

 

<?php
session_start();

/* connect to data base */
require ('./secure/connect.php');

/* get user id */
$user_id = mysql_real_escape_string(trim($_SESSION['username']));
/* get the seat number */
$seat_id = mysql_real_escape_string(trim($_GET['seat']));

//Check if seat is already taken
$query = "SELECT taken FROM seats_table WHERE seat_id = $seat_id AND taken = TRUE";
$result = mysql_query($query, $myConnection) or die (mysql_error());

//Check if seat is taken
if(mysql_num_rows($result)>0)
{
    echo "That seat is taken, please go back and select another";
exit();
    //Could also do a header to redirect to appropritate page
}

/* create query */
$query = "UPDATE seats_table set taken = FALSE, user_id = '0' WHERE user_id = '$user_id'";
$result = mysql_query($query) or die (mysql_error());
$query = "UPDATE seats_table set taken = TRUE, user_id = '$user_id'  WHERE id = '$seat_id'";
$result = mysql_query($query) or die (mysql_error());
/* $query3 = "UPDATE users set signed_up = '3' WHERE username = '$user_id'"; */
/* $result3 = mysql_query($query3); */

/* advise user their seat has been reserved */
include 'seating.php';

?>

 

 

That's a pretty good point about running queries before being connected to the database, oops.

Thanks for the sql injection fix up too.