CODEWITHSUNDEEP
phphtmlsessionmysqli
user8799831
user8799831

Reputation:

$_SESSION Variable Only Stores Some Values

I have a login page page called login.php with the following php code:

  <?php
    session_start();
    include ('databaseconnect.php');

 if(isset($_POST['login'])){
   $username = mysqli_real_escape_string($db, $_POST['username']);
   $password = mysqli_real_escape_string($db, $_POST['password']);

 $query = "select Username, Userid, user_type from Users
           where username = '$username'
           and password = '$password' LIMIT 1";
 $result = mysqli_query($db, $query);

 if (mysqli_num_rows($result) == 1) {
    $username = mysqli_fetch_assoc($result);
 if ($username ['user_type'] == 'owner') {
        $_SESSION['username'] = $username['Username'];    
        $_SESSION['userid'] = $userid['Userid'];          
        $_SESSION['user_type'] = $user_type['user_type']; 
        header('location:adminmain.php');
}else{
    $_SESSION['username'] = $username['Username'];       
    $_SESSION['userid'] = $userid['Userid'];             
    $_SESSION['user_type'] = $user_type['user_type'];    
    header('location:usermain.php');
      }
     }
    }
   }
  ?>

A person's 'Username', 'Userid' and 'user_type' is suppose to be in $_SESSION from the time they login. When a person logs in there is a page called create_topic.php with the following code:

    <?php
      include ('dataconnect.php');

      $sql1= "SELECT Categoryid, Categoryname, Categorydescription 
             FROM Categories"; 
      $result1 = mysqli_query($db,$sql1);

   if (!$result1)
      {
     echo "No Category Found, Contact the administrator" </p>; 
      }

   function getPosts()
   {
    $posts = array();
    $posts[0] = $_POST['topic_subject'];
    $posts[1] = $_POST['topic_category'];
    $posts[2] = $_SESSION['username']; var_dump($_SESSION);
    return $posts;
   } 

   if (isset($_POST['createtopicbutton'])) 
    {  

   $data = getPosts();

   $sql2 = "INSERT INTO Topics(Topic_subject, Topic_category, Topic_by)          
              VALUES('$data[0]','$data[1]', '$data[2]')";

   $result2 = mysqli_query($db,$sql2);

   if ($result2)
    {
       echo  "<p> Topic Successfully Created </p>";
  }else{
       echo "<p> Topic NOT! Successfully Created, Contact the administrator 
              </p>. mysqli_error($db); 
       } 
      }
    ?>

However when the above code is executed I get the following error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Incorrect integer value: '' for column 'Topic_by' at row 1 VALUES('t' at line 1.

So I did a var_dump I found this:

 array (size=3)
 'username' => string 'Owner1' (length=6)
 'userid' => null
 'user_type' => null.

So What I am specifically asking is how can the 'username' be stored but 'userid' and 'user_type' be null when it was stated at the login.php page. Your help and assistance would be greatly appreciated.

Upvotes: 1

Views: 57

Answers (1)

mega6382
mega6382

Reputation: 9396

Your variables are incorrect, try:

 if (isset($_POST['login']))
{
    $username = mysqli_real_escape_string($db, $_POST['username']);
    $password = mysqli_real_escape_string($db, $_POST['password']);

    $query = "select Username, Userid, user_type from Users
           where username = '$username'
           and password = '$password' LIMIT 1";
    $result = mysqli_query($db, $query);

    if (mysqli_num_rows($result) == 1)
    {
        $user = mysqli_fetch_assoc($result);
        if ($user ['user_type'] == 'owner')
        {
            $_SESSION['username'] = $user['Username'];
            $_SESSION['userid'] = $user['Userid'];
            $_SESSION['user_type'] = $user['user_type'];
            header('location:adminmain.php');
        } else
        {
            $_SESSION['username'] = $user['Username'];
            $_SESSION['userid'] = $user['Userid'];
            $_SESSION['user_type'] = $user['user_type'];
            header('location:usermain.php');
        }
    }
}

Only $username is defined, $userid and $user_type are not, user_type and userid are indexes of $username not separate variables. So, instead use $user, so it will be more readable.

Warning!

Little Bobby says your script is at risk for SQL Injection Attacks. Learn about prepared statements for MySQLi. Even escaping the string is not safe!

Upvotes: 1

Related Questions