Session variable not working [PHP & MySQL]

Question

I have a table (news) with different column names. With my code, a new row with these can be added to the database with a text post, which is then echoed in my website.

However, just recently, it stopped working and I noticed that every column name would get updated normally except the one which defines what user has made said post (idUSERS). It has just stopped working recently, and the website outputs no error when I run the code. I use $_SESSION["idUSERS"] to get the current logged in user's ID

<?php

session_start();

    $servername = "localhost";
    $username = "root";
    $password = "";
    $dbname = "intranet";

    // Create connection

    $conn = new mysqli($servername, $username, $password, $dbname);

    // Check connection

    if ($conn->connect_error) {
        die("Connection failed: Please try again later" . $conn->connect_error);
    } 

//$fecha = date("d-m-y");
$fecha = $_POST['news_date'];

    $sql = "INSERT INTO news (title, description, date ,tipo, idUSERS)
    VALUES ('".$_POST['txtTitle']."', '".$_POST['txtNews']."', '".$fecha."', '".$_POST['cboTipo']."', '".$_SESSION["idUSERS"]."')";


    $result =  $conn->query($sql);

    $conn->close();

header("Location: DelkoINT_home.php");


?>

Database ref. image: https://i.stack.imgur.com/D4y94.png

<?php

session_start();
    $servername = "localhost";
    $username = "root";
    $password = "";
    $dbname = "intranet";

// Create connection

    $conn = new mysqli($servername, $username, $password, $dbname);

// Check connection

    if ($conn->connect_error) {
        die("Connection failed: " . $conn->connect_error);
    } 

$sql = "Select * from login_info where loginUsername ='".$_POST['username']."' and loginPassword ='".$_POST['password']."'";

$result =  $conn->query($sql);

        if ($result ->num_rows >0) {
            $row= $result->fetch_assoc();
            $_SESSION["idLOGIN"]= $row["idLOGIN"];
            $_SESSION["idUSERS"]= $row["idUSERS"];
            $_SESSION["admin"]= $row["user_type"];
            $_SESSION["surname"]= $row["userSurname"];
            header("Location: intranet/DelkoINT_home.php");
        }
        else {
            echo "<font color='red'>The username or password is incorrect!</font><br/ > 
            <a href = 'Delko_login.php'>Click here to go back</font></a>";
        }


    $conn->close(); 

?>

Session data var_dump on the MySQL writing page:

array(4) { 
         ["idLOGIN"]=> string(1) "2" 
         ["idUSERS"]=> NULL 
         ["admin"]=> string(1) "1" 
         ["surname"]=> NULL 
}

You are wide open for SQL injection. Since you're using mysqli, take advantage of [prepared statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [bind_param](http://php.net/manual/en/mysqli-stmt.bind-param.php). **This will take care of any pesky quoting issues that may occur.** — aynber, Sep 07 '17 at 13:54
Have you echoed out the query to verify that the query looks like it should, and that `$_SESSION["idUSERS"]` has the value you think it should? — aynber, Sep 07 '17 at 13:56
It doesn't matter if it's a school project or not. You can ignore the security aspects and instead take advantage of not ever having to worry about quoting issues: no more making sure that the quotes are correct and that the data you're inputting doesn't have a quote that's throwing off the whole query. — aynber, Sep 07 '17 at 13:58
@FrancoSoto the earlier you understand that security is important the better. Even though it is a school project you can still learn a lot - and actually school is the best place to learn to get in to the habit of doing things properly. Ignoring security concerns because it is a school project is not a smart idea. — Script47, Sep 07 '17 at 13:58
what does `var_dump($_SESSION);` tell you, after the `session_start();` call? — Martin, Sep 07 '17 at 14:04
Fair enough, I understand the importance of security, which is something I will have to self-teach and definitely implement in my next project, and if I have time I will do so in this one first. Anyways, echoing the session returns an "Undefined index: idUSERS" — Franco Soto, Sep 07 '17 at 14:04
First thing you do when debugging: Enable error-reporting! Add `error_reporting(E_ALL); ini_set('display_errors', 1);` directly after ` — Qirel, Sep 07 '17 at 14:12
I edited my post with the code which shows where the session is saving. Also, the error reporting didn't show me anything. — Franco Soto, Sep 07 '17 at 14:25
Are you sure that you're getting within the `if ($result ->num_rows >0) {` block? — Patrick Q, Sep 07 '17 at 14:35
@FrancoSoto ok, so show us the code (*in your question*) where you set the value of `idUSERS` — Martin, Sep 07 '17 at 14:52

score -1 · Answer 1 · edited Sep 07 '17 at 14:53

what i am able to interpret is that your have issue in the way you format your query request and assigning values to them. you should write sql statement in following way

     $sql = "INSERT INTO booking ( EMAIL, PASENGER_NAME,  
     CONTACT_NUMBER, UNIT_NUM, STREET_NUM, STREET_NAME, SUBURB, 
     DESTINATION_SUBURB, PICK_DATE_TIME, BOOKING_DATE_TIME  ) 
             VALUES ( '{$_SESSION['EMAIL']}', '$Passenger_Name', 
            '$Phone', '$Unit_num', '$Street_num', '$Street_name', 
            '$Suburb', '$Dest_Suburb','$Pickup_Date_Time',
            '$current_time' )";

what I meant is that you write SQL statement without double quotes especially where you define session variable. instead write that like {$_SESSION['EMAIL']}.. Same for others if you are using it $_POST format then you can write it as {$_POST['txtTitle']}, {$_POST['txtNews']}, {$_SESSION['idUSERS']}. Also check that you define session variable on previous page such as $_SESSION['idUSERS']= $_POST['idusers'] and you are using letters in write format like lowercase and uppercase matters. Just do this and i am sure you will definately resolve your problem.

If you then also get a problem let me know then in that case i will tell you a trick which can help you finding the error point in your code.

Session variable not working [PHP & MySQL]

1 Answers1