Select query not showing with $_SESSION variable

Question

The output isn't showing through the variables in the $userInfo. When I use print_r($_SESSION) it shows all the output in $userInfo for some reason. I set the $_SESSION on the last page and I know it's working. Again when I user print_r to show the session info all the variables show up in $userInfo.

    <?php
    session_start();
    error_reporting (E_ALL ^ E_NOTICE);
    include "convenienttomysql.php";
    //include "convenientglobal2localhost.php";

    if (isset($_SESSION['userId'])) {
      $pid = $_SESSION['userId'];
       $results = mysql_query("SELECT * FROM register WHERE userId='$pid'")or die(mysql_error());

    while($rowp=mysql_fetch_array($results)){

     $address1=$rowp['address1'];
     $address2=ucfirst($rowp['address2']);
     $city=ucfirst($rowp['city']);
     $region=$rowp['region'];
     $postalCode=$rowp['postalCode'];
     $country=$rowp['country'];
     $shippingRegion=$rowp['shippingRegion'];
     $userInfo='<table id="addressTableOutput">
         <tr>
            <td colspan="2"id="tableTh"> Address Info</td>
         </tr>
        <tr>
            <td>Address 1:</td><td> '.$address1.'</td>
        </tr>
        <tr>
        <td>Address 2:</td><td> '.$address2.'</td>
        </tr>
        <tr>
                <td>City:</td><td> '.$city.'</td>
          </tr>
          <tr>
           <td> Region:</td><td> '.$region.'</td>
          </tr>
          <tr>
           <td>Postal Code:</td><td> '.$postalCode.'</td>
            </tr>
            <tr>
           <td>Country:</td><td>'.$country.'</td>
            </tr><tr>
           <td>Shipping Region:</td><td> '.$shippingRegion.'</td>
          </tr>
            <tr>
               <td id="editTd"><a id="edit" href="convenienteditaddress.php">Edit</a></td>
            </tr>
        </table>';
 }
    }
    $errors= array();

     if (isset($_POST['submit'])){

        $address1=$_POST['address1'];
         $address2 = $_POST['address2'];
        $city = $_POST['city'];
        $region=$_POST['region'];
        $postalCode=$_POST['postalCode'];
        $country=$_POST['country'];
        $shippingRegion=$_POST['shippingRegion'];
        $msg_to_user="";

        if(empty($address1) || empty($city)|| empty($region)|| empty($country)|| empty($shippingRegion)|| empty($postalCode)){

      $errors[] = "<span id='asterisk'>*</span>All fields need to be filled in.<span id='asterisk'>*</span>";
        }
        else{
        if(strlen($postalCode) > 5){
        $errors[] ="<span id='asterisk'>*</span>Postal Code length is 5 characters.<span id='asterisk'>*</span>";
        }
        if(empty($region)){
        $errors[]="<span id='asterisk'>*</span>Select a Region.<span id='asterisk'>*</span>";
        }
        if(empty($shippingRegion)){
        $errors[]="<span id='asterisk'>*</span>Select a shipping region.<span id='asterisk'>*</span>";
        }
        if(strlen($country)< 2){
        $errors[]="<span id='asterisk'>*</span>Please enter a country.<span id='asterisk'>*</span>";
        }
        }

        if(!empty($errors)){
        foreach($errors as $error){
            $msg_to_user2= "$error";
        }
        }
        else{

    $check = mysql_query("UPDATE register SET address1='$address1',address2='$address2',city='$city',region='$region',postalCode='$postalCode',country='$country',shippingRegion='$shippingRegion' WHERE userId='$pid'")or die(mysql_error());
       }
     }


     ?>

    <html>
    <body>
    <?php echo $userInfo;?>
    </body>
    </html>

Your question isn't worded very clearly. I'll try to help as best as I can, but you need to approach this as though we have no idea what you're trying to accomplish and no idea what your code is actually producing (which is exactly the case). — Matt, Jul 25 '12 at 20:01
OH NO! SQL Injection! This means your code is very easy to hack. It's not late to learn what you're doing wrong. [Best way to prevent SQL Injection in PHP](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php), [XKCD SQL injection — please explain](http://stackoverflow.com/questions/332365/xkcd-sql-injection-please-explain) — kapa, Jul 25 '12 at 20:02
Based on the code he provided, SQL injection is the least of Ryan's problems - it's clear that he's still new. Let's take this one step at a time. — Matt, Jul 25 '12 at 20:05
@Matt I will never agree with this. Beginners should be taught in the earliest stages about this... before any of their code goes to production (this happens very early with PHP programmers, so this is very important). The risk is way too big. — kapa, Jul 25 '12 at 20:09
Tip: if that query can only ever return a single record, there's no need to fetch data in a loop - the loop would only interate once — Marc B, Jul 25 '12 at 20:11
@bažmegakapa I agree that the risk is big. Should we also be mentioning that msql_* functions are being deprecated and shouldn't be used anymore? Prevention of SQL injection may be a half-step above Ryan's skill/knowledge level at this point. Perhaps once he's more familiar with MVC tiered code he'll be ready. (Sorry for talking about you like you're not even here, @Ryan) — Matt, Jul 25 '12 at 20:15
@Matt The problem with `mysql_` is mentioned in the links I posted. I completely disagree with you though. The first time you write a query with data inserted from the outside, you must hear about SQL injection. Any other date is too late. If someone is ready to write `mysql_query`, he must also be ready to escape (or even better, start with PDO - unluckily some people wrongly think it is too advanced...). MVC is not needed to write a functional webpage - SQL Injection prevention is. But let's finish this here. — kapa, Jul 25 '12 at 20:33
@bažmegakapa you have convinced me. I take back my previous opinion on the matter. — Matt, Jul 25 '12 at 21:20

score 1 · Answer 1 · answered Jul 25 '12 at 20:08

1

The first thing I noticed is that your echo statement is outside the scope in which you defined $userInfo. The second is that you're assigning $userInfo on each pass of the while loop. Fix these two problems like this:

//beginning of code; session_start, error_reporting, include;
$userInfo = '';
//in the while loop:
$userInfo .= //... whatever it is

Note this is essentially what Matt was trying to get at.

answered Jul 25 '12 at 20:08

Palladium

3,723
4
15
19

Ok, i've made the adjustments and it hasn't worked. And don't be discouraged about bad programming b/c i'm just making training sites and I got ahead of myself with getting this question out there. It's just frustration from not working that I forgot all this coding. but please keep going. – Ryan Lackey Jul 25 '12 at 20:20
@RyanLackey And when you use `print_r($_SESSION);` instead of `echo $userInfo;` it shows everything that `echo $userInfo` should? – Palladium Jul 25 '12 at 20:27
1

I got it!! The width on the table that was outputting the information was on inherit and didn't allow the variables to show!! – Ryan Lackey Jul 25 '12 at 20:43
@RyanLackey Congrats! Best of luck with all your other coding endeavours. – Palladium Jul 25 '12 at 20:45

score 0 · Answer 2 · answered Jul 25 '12 at 20:00

The first thing I noticed is that you're not appending anything to $userInfo before echoing it - you're just overwriting the value of the variable.

Try this and see if it helps:

$userInfo = "";
.
.
.
$userInfo .= "<table>...</table>";
.
.
.
<?php echo $userInfo; ?>

Select query not showing with $_SESSION variable

2 Answers2