0

I want to get the user's (currently logged in) email and his/her uid from database table then insert it into another table. I have tried but i am getting blank results that is in to the uid and email. 

 <?php

    session_start();


     if(isset($_POST['button'])){

     $bidamount = $_POST['bidamount'];
     $email = $_SESSION['$u_email'];
     $uid = $_SESSION['$u_uid'];

     //TO ALERT SUBMISSION OF BLANK FIELDS(IT DOESN'T PREVENT SUBMISSION OF BLANK FIELD THOUGH)
     if (!$bidamount){
         echo "can't submit blank fields";
     }

     //TO CONFIRM YOU ARE CONNECTED TO YOUR DATABASE (OPTIONAL)
     $connection = mysqli_connect('localhost', 'root', '', 'tickmill_auctions');
     if ($connection){
         header ("Location: ../Afterlogin.php?action=success");
     }else{
         die("connection failed");
     }
     //TO INSERT username and password from field to jossyusers database
     $query = "INSERT INTO orders(bidamount,email,uid) VALUES('$bidamount','$email','$uid')";
     $result = mysqli_query($connection, $query);
     if(!$result){
         die("OOPPS! query failed".mysqli_error($connection));
      }
    }

    ?>
Rp9
  • 1,955
  • 2
  • 23
  • 31
Ethan Dennis
  • 1
  • 6
  • **Your code is wide open to SQL injections.** Use Prepared Statements with bound parameters instead of concatenating your query like that. _Never_ trust user data. – M. Eriksson Apr 12 '18 at 11:01

1 Answers1

0

This looks wrong as I see no variables in your script with the names $u_email and $u_uid

$email = $_SESSION['$u_email'];
$uid = $_SESSION['$u_uid'];

Remove the $ signs and try 

 $email = $_SESSION['u_email'];
 $uid = $_SESSION['u_uid'];

Alternatively if you do in fact have these variables set up use double quotes instead of single quotes like this

$email = $_SESSION["$u_email"];
$uid = $_SESSION["$u_uid"];

WARNING: Your script is wide open to SQL Injection Attack Even if you are escaping inputs, its not safe! Use prepared parameterized statements

Also while testing, add 

    ini_set('display_errors', 1); 
    ini_set('log_errors',1); 
    error_reporting(E_ALL); 
    mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

to the top of your script. This will force any mysqli_ errors to generate an Exception that you can see on the browser and other errors will also be visible on your browser.

RiggsFolly
  • 93,638
  • 21
  • 103
  • 149