getting the current user id using session variable

Question

The code below prints the correct user id of the current user but stores only 0 or 1 into the

database. I don't understand the problem with the code. Your help will be most appreciated

<?php  
 $user_id=print_r($_SESSION["id"]);

      if(isset($_POST['submit'])){ 

          $host = "";
          $db_name = "";
          $username = "";
          $password = "";

          $link=mysqli_connect($host, $username, $password, $db_name);

          //filename as image_path
          $filename=$_FILES['file']['name'];
          $filetmp=$_FILES['file']['tmp_name'];
          $image_title=$_POST['text'];
          $target="uploaded/".$filename;

          $date_time = date('Y-m-d H:i:s');
          $image_url="http://.....".$filename;

              if($filename!=""){

                  $sql="INSERT INTO images (image_path,created,image_url,image_title,user_id) VALUES('$filename','$date_time','$image_url','$image_title','$user_id')";
                  mysqli_query($link,$sql);

                   if(move_uploaded_file($filetmp,$target)){

                       echo "Image uploaded Successfully";

                   }
                   else{

                        echo "Failed to upload !!";
                   }

              }else{

                   echo "Please insert a valid image !!";
              }
      }
 ?>

Please read up on [SQL Injection](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Adder, Mar 09 '18 at 11:49

score 1 · Answer 1 · answered Mar 09 '18 at 11:56

1

You are using print_r on $_SESSION["id"] so it expect that $_SESSION["id"] is an array try using: $user_id = $_SESSION["id"];

or

echo $_SESSION["id"]

to print it

answered Mar 09 '18 at 11:56

Rvdrichard

335
3
12

yes i did like that.it prints the correct value outside the if statement but not inside it – Udipta Gogoi Mar 09 '18 at 12:44
Can you update the full code? I only see one place where you are trying to print. – Rvdrichard Mar 09 '18 at 12:48
The code you posted is still wrong it should be $user_id= $_SESSION["id"]; – Rvdrichard Mar 09 '18 at 13:04
Giving the same problem – Udipta Gogoi Mar 09 '18 at 13:07
Did you use session_start(); at the top of the page? Also try using print_r($_SESSION) what output does it give you? – Rvdrichard Mar 09 '18 at 13:09
yes i did .Session is working well.print_r gives the output of 49 which is correct user id – Udipta Gogoi Mar 09 '18 at 13:12
but in database it stores 0 or 1 only – Udipta Gogoi Mar 09 '18 at 13:12
The column in your database what kind of type does your column take? – Rvdrichard Mar 09 '18 at 13:20
user_id is int(11) type – Udipta Gogoi Mar 09 '18 at 13:28
I think your problem is that you are trying to threat '$userid' as a string when you send it to the database it will show up as '$userid' which evaluates to 0 remove the quotes and just put $userid in your insert statement – Rvdrichard Mar 09 '18 at 13:37
it fails storing the image details completely in the database – Udipta Gogoi Mar 09 '18 at 13:50
What about the user id did that save correctly in the database. I am not sure what kind of type you are storing for the other types. But you need to be careful with quotes and double quotes. – Rvdrichard Mar 09 '18 at 14:00
it stores 0 in the user_id column which is int type – Udipta Gogoi Mar 09 '18 at 14:04

score 0 · Answer 2 · edited Mar 09 '18 at 12:23

0

You are trying to store assign printed value of session id to variable, but it actually assigning print function return value.

You should try following part of code:

$user_id=$_SESSION["id"];

it makes sense to store SESSION array with id key value to $user_id variable.

edited Mar 09 '18 at 12:23

Keyur Potdar

7,158
6
25
40

answered Mar 09 '18 at 12:16

user9467205

1
1

it was a typing mistake in the question.I wrote exatctlly like as you said but did not work.As i said it prints the $user_id outside the if statement correctly but not inside it.What should be the cause? – Udipta Gogoi Mar 09 '18 at 12:53

score 0 · Answer 3 · answered Mar 09 '18 at 13:01

   print_r($_SESSION["id"]);
  $user_id=$_SESSION["id"];
if(isset($_POST['submit']))
 { 
    $host = "";
    $db_name = "";
    $username = "";
    $password = "";
   $link=mysqli_connect($host, $username, $password, $db_name);
  //filename as image_path
   $filename=$_FILES['file']['name'];
  $filetmp=$_FILES['file']['tmp_name'];
  $image_title=$_POST['text'];
  $target="uploaded/".$filename;

  $date_time = date('Y-m-d H:i:s');
  $image_url="htt..".$filename;

  if($filename!=""){
   $sql="INSERT INTO images (image_path,created,image_url,image_title,user_id) VALUES ('$filename','$date_time','$image_url','$image_title','$user_id')";
   mysqli_query($link,$sql);

  if(move_uploaded_file($filetmp,$target)){
    echo "Image uploaded Successfully";
  }
  else
  {
    echo "Failed to upload !!";
   }
   }
else{
   echo "Please insert a valid image !!";
 }
  }
?>
 </body>
  </html>

score 0 · Answer 4 · answered Mar 09 '18 at 13:18

You are not retrieveing the user id, but a success value returned by print_r(), which, when inserted into the database, is converted to 0 (false) or 1 (true).

You want to assign the value from $_SESSION['id'] directly, and for safety's sake to make sure it is an integer.

Also you need to escape $filename and $image_title before using them in the query, because otherwise you create an SQL injection vulnerability.

A last thing - although not part of your current problem - is that you should create the database entry only after a successful upload.

$user_id = (int)$_SESSION['id'];

if (isset($_POST['submit']))
{
    $host     = '';
    $db_name  = '';
    $username = '';
    $password = '';

    $link = mysqli_connect($host, $username, $password, $db_name);

    $filename    = $_FILES['file']['name'];
    $filetmp     = $_FILES['file']['tmp_name'];
    $image_title = $_POST['text'];
    $target      = 'uploaded/' . $filename;

    $date_time = date('Y-m-d H:i:s');
    $image_url = 'http://...' . $filename;

    if ($filename != "")
    {
        if (move_uploaded_file($filetmp, $target))
        {
            $filename    = mysqli_real_escape_string($link, $filename);
            $image_title = mysqli_real_escape_string($link, $image_title);
            $sql         = "INSERT INTO images (image_path,created,image_url,image_title,user_id) VALUES ('$filename','$date_time','$image_url','$image_title',$user_id)";
            mysqli_query($link, $sql);

            echo 'Image uploaded successfully';
        }
        else
        {
            echo 'Failed to upload!';
        }
    }
    else
    {
        echo 'Please insert a valid image!';
    }
}

Thanks for your valuable advise.i will escape all those but i am not quite sure about how can i retrive the user id of the current user. — Udipta Gogoi, Mar 09 '18 at 13:23
i have already updated the session["id"] value with the current user id by mysqli_insert_id($link) while signing the user — Udipta Gogoi, Mar 09 '18 at 13:26

getting the current user id using session variable

4 Answers4