Checking if value is stored in the database with isset()

Question

I want to display a page, if user doesn't pay for content (via Stripe) and therefore have to check in DB if he paid or not. If he paid, I store string "ok" into status and if he doesn't it's just blank.

Now I'm not sure why the following code doesn't work:

<?php
if(!isset($_SESSION["username"])) {
?>
    <a href="login.php">Login</a> to watch Satellite data.
<?php
    $query = 'SELECT status 
                FROM users 
                WHERE username="'.$_SESSION["username"].'"';
    $stmt = $conn->prepare($query);
    $stmt->execute();
    $result = $stmt->get_result();

    while ($row = $result->fetch_assoc()) { 
        $status = $row["status"]; 
        if ($status !== "ok") {
            $status_notpaid = true;
        } 
    }
} elseif(isset($_SESSION["username"]) && isset($status_notpaid))  {     
    include("notpaid.php"); 
} else {
?>

<?php 
$query = 'SELECT id 
            FROM users 
            WHERE username="'.$_SESSION["username"].'"';
$stmt = $conn->prepare($query);
$stmt->execute();
$result = $stmt->get_result();
?>

Hello <strong><?php echo $_SESSION["username"];?></strong> | 

<?php 
while ($row = $result->fetch_assoc()) { 
    echo $row["id"]; }
?>

I'm not sure why elseif(isset($_SESSION["username"]) && isset($status_notpaid)) { include("notpaid.php"); } doesn't work.

You ask is `isset($_SESSION["username"]` is NOT Set and then you go ahead ans use `$_SESSION["username"]` in a query when you know its not set?????? — RiggsFolly, Nov 07 '21 at 17:10
Yeah, just figured out this is a big blunder. Thanks for pointing out the elephant in the room. — user14584183, Nov 07 '21 at 17:11
This line `} elseif(isset($_SESSION["username"]) && isset($status_notpaid)) {` will never work because you only set `$status_notpaid` if you enter the previous IF statement. So if you enter the `elseif` it will never even exist — RiggsFolly, Nov 07 '21 at 17:12
Where do I put it then, where do I store the status variable for further use? — user14584183, Nov 07 '21 at 17:13
**Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) — Dharman, Nov 07 '21 at 18:50

score 2 · Accepted Answer · edited Nov 07 '21 at 18:50

I am assuming the login script sets $_SESSION["username"] if login is successful.

It would make more sense to put the id of the users table, as I assume that is the primary key. You can keep username in session as well if you like and that would save you running some of this code at all.

<?php

if(!isset($_SESSION["userid"])) {
    # user not logged in direct to login, and nothing else
    echo '<a href="login.php">Login</a> to watch Satellite data.';
}

if (isset($_SESSION["userid"])) {
    # then we are logged in 

    # So now we check if they paid
    $query = 'SELECT status 
                FROM users 
                WHERE id=?';
    $stmt = $conn->prepare($query);
    $stmt->bind_param('i', $_SESSION["userid"])
    $stmt->execute();
    $result = $stmt->get_result();
    
    # we had better only be getting one row as a resut of that query
    # so a loop is totally unnecessary
    $row = $result->fetch_assoc();
    $status = $row["status"]; 
    if ($status !== "ok") {
        include("notpaid.php"); 
    } 
}
?>

Hello <strong><?php echo $_SESSION["username"];?></strong> | $_SESSION['userid']

Checking if value is stored in the database with isset()

1 Answers1