$_SESSION Variable Only Stores Some Values

Question

I have a login page page called login.php with the following php code:

  <?php
    session_start();
    include ('databaseconnect.php');

 if(isset($_POST['login'])){
   $username = mysqli_real_escape_string($db, $_POST['username']);
   $password = mysqli_real_escape_string($db, $_POST['password']);

 $query = "select Username, Userid, user_type from Users
           where username = '$username'
           and password = '$password' LIMIT 1";
 $result = mysqli_query($db, $query);

 if (mysqli_num_rows($result) == 1) {
    $username = mysqli_fetch_assoc($result);
 if ($username ['user_type'] == 'owner') {
        $_SESSION['username'] = $username['Username'];    
        $_SESSION['userid'] = $userid['Userid'];          
        $_SESSION['user_type'] = $user_type['user_type']; 
        header('location:adminmain.php');
}else{
    $_SESSION['username'] = $username['Username'];       
    $_SESSION['userid'] = $userid['Userid'];             
    $_SESSION['user_type'] = $user_type['user_type'];    
    header('location:usermain.php');
      }
     }
    }
   }
  ?>

A person's 'Username', 'Userid' and 'user_type' is suppose to be in $_SESSION from the time they login. When a person logs in there is a page called create_topic.php with the following code:

    <?php
      include ('dataconnect.php');

      $sql1= "SELECT Categoryid, Categoryname, Categorydescription 
             FROM Categories"; 
      $result1 = mysqli_query($db,$sql1);

   if (!$result1)
      {
     echo "No Category Found, Contact the administrator" </p>; 
      }

   function getPosts()
   {
    $posts = array();
    $posts[0] = $_POST['topic_subject'];
    $posts[1] = $_POST['topic_category'];
    $posts[2] = $_SESSION['username']; var_dump($_SESSION);
    return $posts;
   } 

   if (isset($_POST['createtopicbutton'])) 
    {  

   $data = getPosts();

   $sql2 = "INSERT INTO Topics(Topic_subject, Topic_category, Topic_by)          
              VALUES('$data[0]','$data[1]', '$data[2]')";

   $result2 = mysqli_query($db,$sql2);

   if ($result2)
    {
       echo  "<p> Topic Successfully Created </p>";
  }else{
       echo "<p> Topic NOT! Successfully Created, Contact the administrator 
              </p>. mysqli_error($db); 
       } 
      }
    ?>

However when the above code is executed I get the following error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Incorrect integer value: '' for column 'Topic_by' at row 1 VALUES('t' at line 1.

So I did a var_dump I found this:

 array (size=3)
 'username' => string 'Owner1' (length=6)
 'userid' => null
 'user_type' => null.

So What I am specifically asking is how can the 'username' be stored but 'userid' and 'user_type' be null when it was stated at the login.php page. Your help and assistance would be greatly appreciated.

Your 1st page has session_start(); and your 2nd page doesn't. Both and ALL that use $_SESSION need to have session_start(); — TimBrownlaw, Oct 19 '17 at 08:30
If you're using MySQLi please use [prepared statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) as your query is vulnerable to MySQL injection. Plus it will likely correct the SQL error you are getting. — IsThisJavascript, Oct 19 '17 at 08:32
Please do not store passwords in plaintext in your database. Use [password_hash](http://php.net/manual/de/function.password-hash.php) and [password_verify](http://php.net/manual/de/function.password-verify.php) instead. — LKKP4ThX, Oct 19 '17 at 08:42

score 1 · Accepted Answer · edited Jun 20 '20 at 09:12

Your variables are incorrect, try:

 if (isset($_POST['login']))
{
    $username = mysqli_real_escape_string($db, $_POST['username']);
    $password = mysqli_real_escape_string($db, $_POST['password']);

    $query = "select Username, Userid, user_type from Users
           where username = '$username'
           and password = '$password' LIMIT 1";
    $result = mysqli_query($db, $query);

    if (mysqli_num_rows($result) == 1)
    {
        $user = mysqli_fetch_assoc($result);
        if ($user ['user_type'] == 'owner')
        {
            $_SESSION['username'] = $user['Username'];
            $_SESSION['userid'] = $user['Userid'];
            $_SESSION['user_type'] = $user['user_type'];
            header('location:adminmain.php');
        } else
        {
            $_SESSION['username'] = $user['Username'];
            $_SESSION['userid'] = $user['Userid'];
            $_SESSION['user_type'] = $user['user_type'];
            header('location:usermain.php');
        }
    }
}

Only $username is defined, $userid and $user_type are not, user_type and userid are indexes of $username not separate variables. So, instead use $user, so it will be more readable.

Warning!

Little Bobby says your script is at risk for SQL Injection Attacks. Learn about prepared statements for MySQLi. Even escaping the string is not safe!

Hi, it works but why is it storing the 'userid' as a string and not as an integer which is how it was defined in the database and becase of this when I try to enter data I am getting this error: 'Incorrect integer value: 'Owner1' for column 'Topic_by' at row 1'. Note Owner1 is the username not the userid. — , Oct 19 '17 at 10:34

$_SESSION Variable Only Stores Some Values

1 Answers1

Warning!