PHP making session user data into variable

Question

I'm having trouble creating a variable for the session user. I'm creating a practice boxing website which matches the session user with somebody with the same attributes i.e. weight

<?php

session_start();
include "connection.php";

$id = $_GET["userID"];
$sql = "SELECT * FROM userdetails WHERE userID = '" . $id . "'";
$result = mysqli_query($con, $sql);

if (mysqli_num_rows($result) > 0) {
    while ($row = mysqli_fetch_assoc($result)) {
        echo"<div>" .
        "<br>First name: " . $row["firstname"] .
        "<br>Second name: " . $row["secondname"] .
        "<br>Mobile: " . $row["mobile"] .
        "<br>Height: " . $row["height"] . "CM" .
        "<br>weight: " . $row["weight"] . "KG" .
        "<br>Image:<br> <img src=getimage.php? 
userID=" . $row["userID"] . "width=100, height=100" .
        "<br> You are a match! click below to view events" .
        "<br><a href=Events.php?userID=" . $row["userID"] . ">View 
Events</a>" .
        "</div>";
    }
} else {
    echo"0 results";
}
$weight = $row['weight'];
?>

This code allows me to collect and display the data of an individual in my table, the $weight = $row['weight']; line puts the weight for the individual into a variable.

I'm unsure on how I get the session users weight into a variable, then how compare the two. i'd imagine i'll need an IF statement. something like:

if ($weight == $sessionusersweight){
echo "you're a match";
}
else{
echo "you're not a match";
}

any help would be appreciated

Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use prepared statements with bound parameters, via either [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php). [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. — Alex Howansky, Apr 19 '18 at 15:58
Are you just asking how to use `$_SESSION` in PHP? Did you try Googling "PHP sessions"? https://secure.php.net/manual/en/book.session.php — David, Apr 19 '18 at 16:01
I'd not go via sessions. Just query the database for matching weight, then you have a list of users that match. — Jeff, Apr 19 '18 at 16:02
I can use session david, was just trying to see if it was possible to made sessions data into a variable — Richard Pearson, Apr 19 '18 at 16:06

score 0 · Answer 1 · answered Apr 19 '18 at 16:00

First thing that I recommend is to use to open first:

<?php
session_start()
?>

Then insert all the code that you want, once done that what you need is the assign the value of a row to a variable so you can just do this:

$_SESSION = $row['weight'];

score 0 · Answer 2 · answered Apr 19 '18 at 16:09

0

So, you have a user in your session. If so, then you can just get that user from $_SESSION variable.

To store the data in session you can do as below:

<?php
session_start();
$_SESSION['user'] = $row;

Now, you have your row data in the $_SESSION variable as user index. To get the user from $_SESSION variable you can do as bellow:

<?php 
session_start();
$sessionUser = $_SESSION['user'];

Here, session_start() method is used to start the session. This is not required twice in the same file.

Then you can just check as you want:

<?php
if($row["weight"] == $sessionUser['weight'])
  echo "matched";
else
  echo "not matched";

answered Apr 19 '18 at 16:09

Imran

4,582
2
18
37

is there any easy way to have the query so its if weight is equal or 3kg less or more then matched? – Richard Pearson Apr 19 '18 at 16:18
Slight issue, its displaying "matched" for all users, even if the users have different weight – Richard Pearson Apr 19 '18 at 16:24
can you give me an example of the code used to only display users with the same weight as the session user jeff? – Richard Pearson Apr 19 '18 at 16:39

Jeff · Answer 3 · 2018-04-21T22:16:56.860

I've made you a version of what I think is what you want (which is not too obvious) to achieve.

<?php
session_start();
include "connection.php";

$id = $_GET["userID"]; // SANITISE USER INPUT!!!
        // change that to a prepared statement!! This is unsecure.
$sql = "SELECT * FROM userdetails WHERE userID = '" . $id . "'";
$result = mysqli_query($con, $sql);

if (mysqli_num_rows($result) == 1) {
    $row = mysqli_fetch_assoc($result); // no need for a while there, we expect only one row
    echo "<div>" .
        "<br>First name: " . $row["firstname"] .
        "<br>Second name: " . $row["secondname"] .
        "<br>Mobile: " . $row["mobile"] .
        "<br>Height: " . $row["height"] . "CM" .
        "<br>weight: " . $row["weight"] . "KG" .
        "<br>Image:<br> <img src=getimage.php? 
    userID=" . $row["userID"] . "width=100, height=100" .
        "<br> You are a match! click below to view events" .
        "<br><a href=Events.php?userID=" . $row["userID"] . ">View 
    Events</a>" .
        "</div>";

        // find users with the same weight;
        $findSimularity = 'weight'; // having weight as a var keeps it more modular/reuseable
        $stmt = mysqli_prepare($con, "SELECT * FROM userdetails WHERE `{$findSimularity}` = ?");

        mysqli_stmt_bind_param($stmt,"d", $row[$findSimularity]); // I assumed type double for weight here. 
                                                           //Could also be 'i' for int or 's' for a string/varchar. ?
        mysqli_execute($stmt);
        $result = mysqli_stmt_get_result($stmt);
        echo "Similar Users:<br>";
        while($similarUser = mysqli_fetch_assoc($result)) {
            echo $similarUser['firstname'] . " has the same $findSimularity of ".$row[$findSimularity]."<br>";
        }


} elseif (mysqli_num_rows($result) > 1) {
    echo "I found more than one user with given ID. That should be an error.";
} else {
    echo "0 results";
}

// best practice is to NOT have a final ?> in your files (to avoid some strange hard to find errors), so I removed it

just added this code into mine, it's not showing fighters with a matching weight, but also isn't showing any errors. Any thoughts on what might be causing this? — Richard Pearson, Apr 21 '18 at 22:08
without new debuggin information: not really. But I just notices a typo I've made: `echo $similarUser['firsname']` - there's a t missing. Will throw 'UNDEFINED INDEX' - if there is a matching user found. — Jeff, Apr 21 '18 at 22:16
The issue seems to be with the while loop after similar users from what I gather? is there anything you could think of as to why this loop is not working? — Richard Pearson, Apr 23 '18 at 14:37

PHP making session user data into variable

3 Answers3