21

So I was wondering if it would be possible to store data coming in from a form as a session variable.

Heres what I have so far, but I don't know what to put for the Form Action.

Thanks for looking!

<strong>Test Form</strong>
<form action="" method"post">
    <input type="text" name="picturenum"/>
    <input type="submit" name="Submit" value="Submit!" />
</form>

<? 
    if (isset($_POST['Submit'])) { 
        $_session['picturenum'] = $_POST['picturenum'];
    } 
?> 

<strong><? echo $_session['picturenum'];?></strong>
Amaan Iqbal
  • 761
  • 2
  • 9
  • 25
Kevin Johnson
  • 211
  • 1
  • 2
  • 3

4 Answers4

37

To use session variables, it's necessary to start the session by using the session_start function, this will allow you to store your data in the global variable $_SESSION in a productive way.

so your code will finally look like this :

<strong>Test Form</strong>
<form action="" method"post">
<input type="text" name="picturenum"/>
<input type="submit" name="Submit" value="Submit!" />
</form>

<?php 
 
 // starting the session
 session_start();


 if (isset($_POST['Submit'])) { 
 $_SESSION['picturenum'] = $_POST['picturenum'];
 } 
?> 

<strong><?php echo $_SESSION['picturenum'];?></strong>

to make it easy to use and to avoid forgetting it again, you can create a session_file.php which you will want to be included in all your codes and will start the session for you:

session_start.php

 <?php
   session_start();
 ?>

and then include it wherever you like :

<strong>Test Form</strong>
<form action="" method"post">
<input type="text" name="picturenum"/>
<input type="submit" name="Submit" value="Submit!" />
</form>

<?php 
 
 // including the session file
 require_once("session_start.php");


 if (isset($_POST['Submit'])) { 
 $_SESSION['picturenum'] = $_POST['picturenum'];
 } 
?>

that way it is more portable and easy to maintain in the future.

other remarks

  • if you are using Apache version 2 or newer, be careful. instead of
    <?
    to open php's tags, use <?php, otherwise your code will not be interpreted

  • variables names in php are case-sensitive, instead of write $_session, write $_SESSION in capital letters

good work!

Micah Nelson
  • 11
  • 5
Fopa Léon Constantin
  • 11,863
  • 8
  • 48
  • 82
  • Is it possible to retrieve input values using their id rather than name? – Amyunimus Oct 30 '13 at 05:40
  • Dumb question. If you start a session and then do (accidentally) another `session_start();` does that wipe all the data of the first session? – BeNice Jan 25 '16 at 07:11
  • 1
    @OldMauiMan, call `session_start();` (accidentally) twice in the same code will not do anything wrong. The only way to wipe out all the data is to use `session_destroy();` – Fopa Léon Constantin Jan 27 '16 at 04:48
  • 1
    Thanks for that. I know people don't like that but how do you say thank you for helpful info here? (I am British and CANNOT not say thank you). – BeNice Jan 27 '16 at 05:16
  • @OldMauiMan, Profitable way is to vote you their answer (the number in the left of the answer title). However, just says thank is fine for me ;-) – Fopa Léon Constantin Jan 27 '16 at 08:57
  • @Amyunimus, It is not possible to retrieve value using their id, because those id are not send in the `$_POST` variable in the server side. They are only usefull in the client side (using javascript). – Fopa Léon Constantin Feb 12 '16 at 14:48
  • When I changed the button from an input element to a button element, the value returned by $_SESSION is then used as the value of – mario64 Jul 14 '16 at 11:43
7

That's perfectly fine and will work. But to use sessions you have to put session_start(); on the first line of the php code. So basically

<?php
session_start();

//rest of stuff

?>
NullUserException
  • 83,810
  • 28
  • 209
  • 234
kjones1876
  • 762
  • 2
  • 10
  • 17
2

Yes this is possible. kizzie is correct with the session_start(); having to go first.

another observation I made is that you need to filter your form data using:

strip_tags($value);

and/or

stripslashes($value);
Josh Crozier
  • 233,099
  • 56
  • 391
  • 304
Todd Moses
  • 10,969
  • 10
  • 47
  • 65
  • So basically this just sanitizes the data? – Kevin Johnson Sep 24 '10 at 22:45
  • 2
    -1 This is a totally useless answer. `stripslashes()` is useless now that magic quotes are off by default (and also this would "de-sanitize" your data if anything). Also why would you want to do `strip_tags()` (or `stripslashes()`) on information you save to sessions? – NullUserException Sep 25 '10 at 02:16
  • 1
    You cannot be guaranteed that magic quotes are off. I have worked with too many clients who used hosting they had no control over and magic quotes was on. It is a best practice to assume nothing. What if the code is moved or the host changes the settings, etc... – Todd Moses Sep 25 '10 at 04:35
  • 2
    If the data is coming from the user then you want to treat it as dangerous. Where is that data going to go - maybe the DB, etc... The point is to protect your site. Because down the road another developer may be working on the site and use the user data for something else without checking for filtering. – Todd Moses Sep 25 '10 at 04:44
  • 3
    htmlspecialchars for displaying data, prepare statements for inserting into db ;/ – Andy Lobel Aug 20 '13 at 10:53
1

You can solve this problem using this code:

if(!empty($_GET['variable from which you get'])) 
{
$_SESSION['something']= $_GET['variable from which you get'];
}

So you get the variable from a GET form, you will store in the $_SESSION['whatever'] variable just once when $_GET['variable from which you get']is set and if it is empty $_SESSION['something'] will store the old parameter

Rezalendra
  • 3
  • 4
giuseppe
  • 105
  • 9