0

Hi this has been frustrating me for a while and I can't seem to figure out what is wrong with my code

So I currently have a database called artworks and it has 2 tables within it a artwork table and a members table ( for login including username and password )

I already have login.php that stores username and password to the members table

Now I want to get that username from members table and store it within artworks table somehow. ( I do not know why my code is not storing my username into it) 

<?php

session_start();

if(isset($_POST['title'])) $title = $_POST['title'];
if(isset($_POST['category'])) $category = $_POST['category'];
if(isset($_POST['description'])) $description = $_POST['description'];
if(isset($_POST['tags'])) $tags = $_POST['tags'];


$filename = $_FILES['image']['name'];   
$location = $_FILES['image']['tmp_name'];

//move the file
move_uploaded_file($location, "uploads/$filename");

//put data into database
$db = mysqli_connect("localhost", "root","", "artworks")  or die(mysqli_error($db));

$_SESSION['username'] = $username;

$q = "insert into artwork values(null, '$_SESSION[username]','$title', '$category', '$description', '$tags', '$filename')";
mysqli_query($db, $q) or die(mysqli_error($db));


//redirect
header("Location:gallery.php");
exit(0);

Ive also tried $_SESSION['username'] = $username; and $_SESSION['username'] = '$username'; and it still does not seem to work

I also want to display the current logged in user's name at the bottom of the page but echo $username also does not work ..

Many Thanks

Sofyan Thayf
  • 1,322
  • 2
  • 14
  • 26
Andrew
  • 176
  • 1
  • 14
  • 2
    $username is not coming from anywhere... the only time it is used here is when you write `$_SESSION['username'] = $username;` – James Grimshaw Oct 27 '19 at 12:37
  • where is the $username? – gbenga wale Oct 27 '19 at 13:39
  • 1
    As an aside, you are exposing yourself to a possible SQL Injection attack. See [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Booboo Oct 27 '19 at 14:32
  • "echo $username"...why should it? You don't appear to have declared it anywhere. Where are you expecting this value to have been populated? Did you perhaps mean to write `$username = $_SESSION['username'];` instead of `$_SESSION['username'] = $username;` - that would fetch the username from the session, not the other way round – ADyson Oct 27 '19 at 15:30
  • It is a very bad idea to use `die(mysqli_error($conn));` in your code, because it could potentially leak sensitive information. See this post for more explanation: [mysqli or die, does it have to die?](https://stackoverflow.com/a/15320411/1839439) – Dharman Oct 30 '19 at 22:12
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Oct 30 '19 at 22:12

1 Answers1

1

should you do this, sign the $_SESSION['username'] at login section, i mean, after you success login, you create session with name => username and sign them from query's that refer to taking username and password from table member.

because session value still store although you change page, on the next page, refer to code above, you just include it to your query string.

for example login.php

// u get data username and password from table member and asign it to $username
session_start();
$username = "foo";//you can sign this value from query tables
$_SESSION['username'] = $username;

remember, value on session still kept.

an in other side, on store.php => it my assume ^_^

//after that $_SESSION[username] will be sign with name foo, for example
$q = "insert into artwork values(null, '$_SESSION[username]','$title', '$category', '$description', '$tags', '$filename')";
mysqli_query($db, $q) or die(mysqli_error($db));
meotig
  • 76
  • 5
  • By adding` ( $username = "foo"; )` to the **login.php** username data now successfully gets added into the database :3 – Andrew Oct 27 '19 at 22:16
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Oct 30 '19 at 22:11
  • It is a very bad idea to use `die(mysqli_error($conn));` in your code, because it could potentially leak sensitive information. See this post for more explanation: [mysqli or die, does it have to die?](https://stackoverflow.com/a/15320411/1839439) – Dharman Oct 30 '19 at 22:12
  • Thats true, maybe u can change to PDO with prepared statement and bind parameter ^_^ – meotig Oct 31 '19 at 02:24