Trying to pass a session variable into a mysql query using php

Question

I hope someone can help,
I have written the following function - insert_address($address) to write address records to a mysql database. and it writes all the fields except custid.

custid is is the primary index of another table and is stored in the session variable $_SESSION

the function insert_address($address) is called from the form below the function

I have included other bits of code to show session id etc for extra background.

<?php

  function insert_address($address) {
        global $db;


      $sql = "INSERT INTO address ";
      $sql .= "(custid, houseno, street_1, street_2, town, county, postcode, country) ";
      $sql .= "VALUES (";
      $sql .= "'" . db_escape($db, $address['custid']) . "',";
     $sql .= "'" . db_escape($db, $address['houseno']) . "',";
     $sql .= "'" . db_escape($db, $address['street_1']) . "',";
     $sql .= "'" . db_escape($db, $address['street_2']) . "',";
     $sql .= "'" . db_escape($db, $address['town']) . "',";
     $sql .= "'" . db_escape($db, $address['county']) . "',";
     $sql .= "'" . db_escape($db, $address['postcode']) . "',";
     $sql .= "'" . db_escape($db, $address['country']) . "'";
     $sql .= ")";
     $result = mysqli_query($db, $sql);


     // For INSERT statements, $result is true/false

     if($result) {
       return true;
     } else {
       // INSERT failed
       echo mysqli_error($db);
       db_disconnect($db);
       exit;
     }
   }

?>

PHP form

<?php

require_once('../../private/initialize.php');

require_user_login();

if(is_post_request()) {
  $address = [];
  $address ['custid'] = $_POST['custid'] ?? '';
  $address['houseno'] = $_POST['houseno'] ?? '';
  $address['street_1'] = $_POST['street_1'] ?? '';
  $address['street_2'] = $_POST['street_2'] ?? '';
  $address['town'] = $_POST['town'] ?? '';
  $address['county'] = $_POST['county'] ?? '';
  $address['postcode'] = $_POST['postcode'] ?? '';
  $address['country'] = $_POST['country'] ?? '';

  $result = insert_address($address);
  if($result === true) {
//    $new_id = mysqli_insert_id($db);
    $_SESSION['message'] = 'Address Created.';
    redirect_to(url_for('/admin/show.php?id=' . $custid));
  } else {
    $errors = $result;
  }

} else {
  // display the blank form
  $address = [];
  $address['custid'] = $_GET['custid'] ?? '1';
  $address['houseno'] = '';
  $address['street_1'] = '';
  $address['street_2'] = '';
  $address['town'] = '';
  $address['county'] = '';
  $address['postcode'] = '';
  $address['country'] = '';
}


?>

<?php $page_title = 'Create Address'; ?>
<?php include(SHARED_PATH . '/public_header.php'); ?>

<div id="content">

  <a class="back-link" href="<?php echo url_for('/admin/show.php'); ?>">&laquo; Back to Account Page</a>

  <div class="admin new">
    <h1>Create Address</h1>

    <?php echo display_errors($errors); ?>

    <form action="<?php echo url_for('/admin/address.php'); ?>" method="post">
      <dl>
        <dt>House Number</dt>
        <dd><input type="text" name="houseno" value="<?php echo h($address['houseno']); ?>" /></dd>
      </dl>

      <dl>
        <dt>Street</dt>
        <dd><input type="text" name="street_1" value="<?php echo h($address['street_1']); ?>" /></dd>
      </dl>

      <dl>
        <dt>Street 2</dt>
        <dd><input type="text" name="street_2" value="<?php echo h($address['street_2']); ?>" /></dd>
      </dl>

      <dl>
        <dt>Town or City</dt>
        <dd><input type="text" name="town" value="<?php echo h($address['town']); ?>" /></dd>
      </dl>

      <dl>
        <dt>County </dt>
        <dd><input type="text" name="county" value="<?php echo h($address['county']); ?>" /><br /></dd>
      </dl>

      <dl>
        <dt>Post Code </dt>
        <dd><input type="text" name="postcode" value="<?php echo h($address['postcode']); ?>" /><br /></dd>
      </dl>

      <dl>
        <dt>Country </dt>
        <dd><input type="text" name="country" value="<?php echo h($address['country']); ?>" /><br /></dd>
      </dl>

      <br />

      <div id="operations">
        <input type="submit" value="Add Address" />
      </div>
    </form>

  </div>

</div>

<?php include(SHARED_PATH . '/public_footer.php'); ?>



<?php

  require_once('db_credentials.php');

  function db_connect() {
    $connection = mysqli_connect(DB_SERVER, DB_USER, DB_PASS, DB_NAME);
    confirm_db_connect();
    return $connection;
  }

  function db_disconnect($connection) {
    if(isset($connection)) {
      mysqli_close($connection);
    }
  }

  function db_escape($connection, $string) {
    return mysqli_real_escape_string($connection, $string);
  }

  function confirm_db_connect() {
    if(mysqli_connect_errno()) {
      $msg = "Database connection failed: ";
      $msg .= mysqli_connect_error();
      $msg .= " (" . mysqli_connect_errno() . ")";
      exit($msg);
    }
  }

  function confirm_result_set($result_set) {
    if (!$result_set) {
       exit("Database query failed.");
    }
  }

?>

I have tried using global variables, and just put it in to try and force the value to be passed, have removed them now but still get the same result, I am using session ID to pass the required variables while moving around from page to page.

<?php
// Performs all actions necessary to log in an customer
function log_in_customer($customer) {
// Renerating the ID protects the customer from session fixation.
  session_regenerate_id();
  $_SESSION['custid'] = $customer['custid'];
  $_SESSION['last_login'] = time();
  $_SESSION['username'] = $customer['username'];
  return true;
}

// Performs all actions necessary to log out an customer
function log_out_customer() {
  unset($_SESSION['custid']);
  unset($_SESSION['last_login']);
  unset($_SESSION['username']);
  // session_destroy(); // optional: destroys the whole session
  return true;
}


// is_logged_in() contains all the logic for determining if a
// request should be considered a "logged in" request or not.
// It is the core of require_login() but it can also be called
// on its own in other contexts (e.g. display one link if a customer
// is logged in and display another link if they are not)
function user_is_logged_in() {
  // Having a cust_id in the session serves a dual-purpose:
  // - Its presence indicates the customer is logged in.
  // - Its value tells which customer for looking up their record.
  return isset($_SESSION['custid']);
}

// Call require_login() at the top of any page which needs to
// require a valid login before granting acccess to the page.
function require_user_login() {
  if(!user_is_logged_in()) {
    redirect_to(url_for('/login.php'));
  } else {
    // Do nothing, let the rest of the page proceed
  }
}

?>

<?php 

// Performs all actions necessary to log out an customer
function log_out_customer() {
  unset($_SESSION['custid']);
  unset($_SESSION['last_login']);
  unset($_SESSION['username']);
  // session_destroy(); // optional: destroys the whole session
  return true;
}
?>

I am sure this is just a simple fix which I can not find!

Answer 1

You are never assigning $_POST['custid']. You should use the session variable that you set on sign-in instead.

Try to use $_SESSION['custid'] in your PHP form. So instead of $address ['custid'] = $_POST['custid'] ?? ''; in your PHP form use this $address ['custid'] = $_SESSION['custid'] ?? ''; I think you are just using the wrong variable.