PHP- Save $_POST into $_SESSION issue

Question

I have read multiple posts on this on here, but none seem to do the trick, maybe i am just misunderstanding as i new to this. I have a form that inserts into a database and then echo's out the data, perfectly!, my problem is because the form is on a users accounts page, when you logout all the information disappears. I am aware that i will have to save my $_POST variables into a $_SESSION.

But even when saved into a session, the data echo'd out still disappears once logged out, when logging back in. What is the correct way to save a$_POST into a $_SESSION.

I am currently using :

// Save $_POST to $_SESSION
$_SESSION['fname'] = $_POST;

Is there a better way here is my code:

HTML

      <section class="container">
    <form id="myform " class="Form" method="post" action="Cus_Account.php?c_id=<?php echo $c_id ?>" accept-charset="utf-8">

        <!--                    <div id="first">-->
        <input type="text" id="fname" name="fname" value="<?php echo isset($_POST['fname']) ? $_POST['fname'] : '';?>" required> 
        <input type="text" id="lname" name="lname" value="<?php echo isset($_POST['lname']) ? $_POST['lname'] : '';?>" required>
        <input type="text" id="email" name="email" value="<?php echo $_SESSION['Cus_Email']; ?>" required>
        <input type="number" id="phone" name="phone"  value="<?php echo isset($_POST['phone']) ? $_POST['phone'] : '';?>"required>
        <input type="submit" name="Update" value="Update">
        <br>
    </form>

PHP

  <?php
if (isset($_POST['Update'])) {
$c_fname = $_POST['fname'];
$c_lname = $_POST['lname'];
$c_email = $_POST['email'];
$c_phone = $_POST['phone'];

// Save $_POST to $_SESSION
$_SESSION['fname'] = $_POST;
//query

$insert_det = "INSERT INTO Cus_acc_details(CUS_Fname,CUS_Lname,Cus_Email,CUS_Phone) VALUES (?,?,?,?)";
$stmt = mysqli_prepare($dbc, $insert_det);
//new
// $stmt = mysqli_prepare($dbc, $insert_c);
//debugging
//$stmt = mysqli_prepare($dbc, $insert_c)  or die(mysqli_error($dbc));

mysqli_stmt_bind_param($stmt, 'sssi', $c_fname, $c_lname, $c_email, $c_phone);

/* execute query */
$r = mysqli_stmt_execute($stmt);

// if inserted echo the following messges
if ($r) {
    echo "<script> alert('registration sucessful')</script>";
}
} else {
echo "<b>Oops! Your passwords do not </b>";
}
?>

The $_SESSION['Cus_Email'] in the form is from another query. Any help or suggestions would be much appreciated.

Answer 1

$_POST data should only be stored as a session variable temporarily. For example, if your user makes an error:

form.php

<?php
  // This function should go in a config file, to escape data:
  function html($str){
    return htmlspecialchars($str, ENT_QUOTES);
  }

  $data   = $_SESSION['form']['data'];
  $errors = $_SESSION['form']['errors'];
?>
<form method="post" action="action.php">

  <input type="text" name="fname" value="<?=html($data['fname'])?>" placeholder="First name">
  <?php if(isset($errors['fname'])): ?>
    <p>ERROR: <?=html($errors['fname'])?></p>
  <?php endif; ?>

  <input type="text" name="lname" value="<?=html($data['lname'])?>" placeholder="Last name">

  <button type="submit">Go</button>

</form>
<?php
  unset($_SESSION['form']); // You don't want to keep this data any longer.

action.php

<?php
  $data = $_POST;

  // Validate the data, for example:
  if($data['fname'] == ''){
    $errors['fname'] = "First name is required.";
  }

  if(!empty($errors)){
    unset($data['password']); // Do not store passwords in session variables.
    $_SESSION['form']['data']   = $data;
    $_SESSION['form']['errors'] = $errors;
    header("Location: form.php");
    die;
  }
  // Put your database inserts here (no errors)

You should store things like first name, surname, etc, inside your database. Don't store these in $_SESSION other than in the example above.