Can not read value from SESSION variable and query database

Question

I cant get the value of the session variable to insert it into my DB. lat and lng are Doubles

$lat = mysql_real_escape_string($lat);
$lng = mysql_real_escape_string($lng);


$sql="INSERT INTO POINT (LocationLat,LocationLngme,UserName) VALUES (&lat,&lng,$usr)";
mysql_query($sql);

?>

Don't bother @Rizier123 - OP's doesn't seem to be paying attention to any of our comments *up here*. Nor do the ampersands stand out enough if it bit them. — Funk Forty Niner, Dec 17 '14 at 19:21

score 6 · Accepted Answer · edited May 23 '17 at 12:23

6

session_start() must be at the top of any page you wish to use sessions:

<?php
session_start();
$lat = $_REQUEST['lat'];
$lng = $_REQUEST['lng'];
$usr = "'".echo $_SESSION['username']."'";

$lat = mysql_real_escape_string($lat);
$lng = mysql_real_escape_string($lng);


$sql="INSERT INTO POINT (LocationLat,LocationLngme,UserName) VALUES ('&lat','&lng','$usr')";
mysql_query($sql);

?>

FYI, you are missing quotes around your string values in your query.

And please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.

You are also wide open to SQL injections

edited May 23 '17 at 12:23

Community

1
1

answered Dec 17 '14 at 18:46

John Conde

217,595
99
455
496

Doesn't OP also have to change `&lat`, `&lng` to `$lat`, `$lng` and maybe put it in quotes? – Rizier123 Dec 17 '14 at 18:50
@Rizier123 That's their next question. ;) But I should mention it so this answer is not providing bad information. – John Conde Dec 17 '14 at 18:52
aaahh, okay i have to agree :D – Rizier123 Dec 17 '14 at 18:53
Isn't it amazing how a cobbler knows how to fix his *own* shoes? (grin) – Funk Forty Niner Dec 17 '14 at 19:12
That's cuz they've gotten someone else to fix their shoes ;) I guess their tools weren't of any use *anymore*. – Funk Forty Niner Dec 17 '14 at 19:17

score 0 · Answer 2 · answered Dec 17 '14 at 19:01

0

@Jonh Conde's answers might work for you but it is better to do the following:

<?php
session_start();
$lat = mysql_real_escape_string( trim( $_REQUEST['lat'] ) );
$lng = mysql_real_escape_string( trim( $_REQUEST['lng'] ) );
$usr = mysql_real_escape_string( trim( $_SESSION['username'] ) );

$sql="INSERT INTO `POINT` (`LocationLat`, `LocationLngme`, `UserName`) VALUES ('$lat', '$lng', '$usr')"; 
// Putting '`' backticks around column and table names makes sure some mysql errors are prefented.
mysql_query($sql);

?>

Also take a look at mysqli_* or PDO since mysql_* is depracted

trim();

answered Dec 17 '14 at 19:01

SuperDJ

7,488
11
40
74

1

*"backticks aroung column and table names makes sure some mysql errors are prefented."* - Actually, backticks are used whenever an OP uses a reserved word, or a table/column contains a space or hyphen. – Funk Forty Niner Dec 17 '14 at 19:02
@Fred-ii- "*backticks are used whenever an OP uses a reserved word, or a table/column contains a space or hyphen*" Thats what I ment. But it usually is a good thing too to do / learn to do in general to prevent errors. – SuperDJ Dec 17 '14 at 19:06
@Zhexa As @ John Conde stated: "*That's their next question. ;) But I should mention it so this answer is not providing bad information.*" – SuperDJ Dec 17 '14 at 19:11

Can not read value from SESSION variable and query database

2 Answers2