0

I have been figuring this out for years. I have a website with 500 users per day logging in, and often when they submit a news article, oddly for few users $_SESSION['user'] is lost and becomes null.

What is causing this? I thought this is a browser problem initially but i checked it works fine to me..

With the lost session variable the database INSERT also fails..

I use smarty, php 5 and apache on a dedicated server. Here is a part of code i am reproducing...

When the $_SESSION['user'] is null, mysql_insert_id() also becomes NULL.

<?php 
session_start();
if(!isset($_SESSION['user']))
{ 
header("Location: /login.php");
}

mysql_query("INSERT into press_releases
            (`date`,`category`,`title`,`desc`,`body`,`company`,`address`,`tel`,`url`,`keywords`
            ,`email`,`contribution`,`sponsored`,`user_ip`)
            VALUES
            ('$date','$data[category]','$data[title]','$data[desc]','$data[content]','$data[company]', '$data[address]','$data[tel]','$data[url]'
            ,'$data[keywords]','$_SESSION[user]','$contribution','$sponsored','$user_ip')
            ",$link) or die("Insertion Failed:" . mysql_error());
//  echo "<h3>Thank You</h3> We received your submission.";

    $id = mysql_insert_id($link);
    // IMPORTANT: Place front slash here when uploaded to server

?>
pbu
  • 2,982
  • 8
  • 44
  • 68
  • 4
    There is not enough here really to deduce the cause of your problem but your code is using the now outdated and deprecated `mysql_` api and is vulnerable to sql injection – Professor Abronsius Nov 14 '17 at 15:43
  • 2
    Maybe the sessions are expiring? – chris85 Nov 14 '17 at 15:46
  • 5
    you should include exit after a header redirect to prevent code from being executed. – Raymond Nijland Nov 14 '17 at 15:46
  • _"oddly for few users $_SESSION['user'] is lost and becomes null."_ Probably because the content they're submitting contains a single quote which breaks your SQL. You should use prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) drivers. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Nov 14 '17 at 15:49
  • I dont think sessions are expiring because they submit immediately they login in. – pbu Nov 14 '17 at 15:52
  • I do filter data and escape before inserting, so i dont think that is the problem. – pbu Nov 14 '17 at 15:55
  • "I do filter data and escape before inserting"...show us then, there's no evidence of that in your snippet. Perhaps it's done incorrectly. And also that still doesn't fix the fact that you're using a DB code library which was killed off years ago. If you migrate to PDO as suggested, then you can just use parameters, and all your escaping problems will go away because the PDO layer does it for you. I guess maybe this is an old legacy system you're trying to stop from creaking too much? – ADyson Nov 14 '17 at 16:49
  • Thank you @RaymondNijland . I increased the session timeout to 1h. Lets see. – pbu Nov 14 '17 at 18:48

0 Answers0