You'll need to use $_GET.

ie:

$id = $_GET['member_id']; 
header ("Location: editdisplay.php?member_id=" . $id . ""); 

Also you should really use full uri's in Location headers as stated by php.net:

Note:

HTTP/1.1 requires an absolute URI as argument to » Location: including the scheme, hostname and absolute path, but some clients accept relative URIs.

jeepin81;10998023 wrote:

You'll need to use $_GET.

ie:

$id = $_GET['member_id']; 
header ("Location: editdisplay.php?member_id=" . $id . ""); 

Not necessarily - the 'member_id' value may indeed have been POST'ed to the current page.

The place where you'd want to use $_GET, though, is inside that editdisplay.php script.

Hi all,

The "member_id" is posted to this script.

I have changed the code to:

header ("Location: http://www.domain/path/path/editdisplay.php?member_id=40");

and this works, but when I have

header ("Location: http://www.domain/path/path/editdisplay.php?member_id=" . $_POST['member_id']. "");

it does not, where do you know I am going wrong.

What does the URL of the second header() call look like when you get redirected? What is the value of $_POST['member_id']?

Hi Brad,

The value of $_POST['member_id'] is 40.

And this is what I am expecting.

Thanks for looking at this.

dcjones;10998040 wrote:

The value of $_POST['member_id'] is 40.

Apparently it isn't, though, since that would mean that both code snippets you posted are equivalent and would thus produce the same results.

Try commenting out the header redirect and instead doing a [man]var_dump/man of $_POST['member_id'] at that location - what is the resulting output you get?

Hi Brad,

This is the complete script:

print $_POST['member_id']; // this produces 40


if ((isset($_POST["MM_update"])) && ($_POST["MM_update"] == "form1")) {
  	$updateSQL = sprintf("UPDATE FIDS_user_accounts SET PlusTimeArriveMidnight=%s WHERE member_id=" . $_POST['member_id'] . "",

                   GetSQLValueString($_POST['PlusTimeArriveMidnight'] = $_POST['plustimearrivemidnight'], "int"),
                   GetSQLValueString($_POST['member_id'] = $row_customers['member_id'], "int"));

mysql_select_db($database_flightq, $flightq);
$Result1 = mysql_query($updateSQL, $flightq) or die(mysql_error());
//header ("Location:  http://www.domain/path/path/editdisplay.php?member_id=40");
var_dump($_POST['member_id']); //this produces NULL
}

var_dump($_POST['member_id']) produces NULL

I know that the header location row is inside the "if statement" but the WHERE clause in the SQL query also uses "$_POST['member_id'] and it works, the data table gets updated.

GetSQLValueString($_POST['member_id'] = $row_customers['member_id'], "int"));

I feel the problem is this line, because you are assigning $_POST['member_id'] to $row_customers['member_id'] then passing that to GetSQLValueString and given the code you provided $row_customers['member_id'] is undefined. If you had error_reporting set to E_ALL or better you would get undefined variable and/or notice from this line. Since you are attempting to assign it to an undefined variable the resulting value will be NULL.

Hi all and Derokorian,

Derokorian, spot on, I never spotted that.

I changed the line to:

GetSQLValueString($_POST['member_id'] = $_POST['member_id'], "int"));

And it now works as required.

Many thanks for all the input, many eyes make it easier after you have been looking at it for what seems like hours.

dcjones;10998064 wrote:

Hi all and Derokorian,

Derokorian, spot on, I never spotted that.

I changed the line to:

GetSQLValueString($_POST['member_id'] = $_POST['member_id'], "int"));

Er.. why did you do that? Read that code and see if it actually makes sense to you... you're assigning the value of a variable back to itself, and then passing it as a parameter.

Furthermore, your code isn't even using that line at all since you already directly inserted the value of $_POST['member_id'] into the SQL query string (making your code vulnerable to SQL injection attacks and/or SQL errors).

Hi Brad,

Your perfectly correct, I have changed the code to:

if ((isset($_POST["MM_update"])) && ($_POST["MM_update"] == "form1")) {
  	$updateSQL = sprintf("UPDATE FIDS_user_accounts SET PlusTimeArriveMidnight=%s WHERE member_id=" . $_POST['member_id'] . "",

                   GetSQLValueString($_POST['PlusTimeArriveMidnight'] = $_POST['plustimearrivemidnight'], "int"));

mysql_select_db($database_flightq, $flightq);
$Result1 = mysql_query($updateSQL, $flightq) or die(mysql_error());

header ("Location:  editdisplay.php?member_id=" . $_POST['member_id']);
}

This does away GetSQLValueString($POST['member_id'] = $POST['member_id'], "int"));

As for SQL injection, all these scripts are not available to normal web surfers, they sit in a protected area with strong passwords.

Thanks for your input which is always very welcome.

dcjones;10998077 wrote:

This does away GetSQLValueString($POST['member_id'] = $POST['member_id'], "int"));

Why not simply use the function correctly?

dcjones;10998077 wrote:

As for SQL injection, all these scripts are not available to normal web surfers, they sit in a protected area with strong passwords.

Why does that lead you to believe you can justify not sanitizing user input to prevent SQL injections and/or SQL errors? (It shouldn't.)

Hi Brad,

Point taken, I will revisit the way I am processing the input.

Again, many thanks.