adding session id to mysqli insert script

General PHP Help
#1

my script below won’t pull the hashed userid/session to insert into the adminid spot…any advice?
I know it is connecting and setting a hashed session because I can print that out…
thx

[php]<?php

session_start();
echo session_id();

// connect to the database
include(“connect.php”);
{
// if the form’s submit button is clicked, we need to process the form
if (isset($_POST[‘submit’]))
{

//get userid and assign to adminid

$query = ‘SELECT userid
FROM admins
WHERE userid = ?’;

$stmt = $mysqli->prepare($query);

if (!$stmt) {
echo ‘failed to prepare user admin statement’;
} else {
$stmt->bind_param(‘i’, $_POST[‘session_id’]);
$stmt->execute();

echo '

user id is: ';
echo ‘userid’;
}

// get the form data

$foodid = htmlentities($_POST[‘foodid’], ENT_QUOTES);
$restid = htmlentities($_POST[‘restid’], ENT_QUOTES);
$regionid = htmlentities($_POST[‘regionid’], ENT_QUOTES);
$adminid = htmlentities($_POST[‘adminid’], ENT_QUOTES);

// check that foodname and adminid are both not empty
if ($foodname == ‘’ || $adminid == ‘’)
{
// if they are empty, show an error message and display the form
$error = ‘ERROR: Please fill in all required fields!’;
//renderForm($foodname, $adminid, $error);
echo “error–not everything required is filled in…especially foodname and adminid”;
}
else
{

                            // insert the new record into the database

if ($stmt = $mysqli->prepare(“INSERT food (foodid, restid, regionid, adminid)
VALUES (?,?,?,?)”))

{

$stmt->bind_param(“iiii”, $foodid, $restid, $regionid, $adminid);

$stmt->execute();
$stmt->close();

                            }
                            // show an error if the query has an error
                            else
                            {
                                    echo "ERROR: Could not prepare SQL statement.";
                            }
                            
                            // redirect the user
                            header("Location: foodform.php");
                    }
                    
            }
            // if the form hasn't been submitted yet...
            else
            {
                    echo "success";
            }
    }
    
    // close the mysqli connection
    mysqli_close($mysqli);

?>

[/php]

#2

as you see when you echo session_id() that function actually returns the session id. Later on you try to use the variable $_SESSION[‘session_id’] which I guess you never set.

Just use session_id() to fetch the id elsewhere in the script, or set a local variable if you need to use it multiple places / php complains about function calls in declarations.

[php]$sessionId = session_id();
$stmt->bind_param(‘s’, $sessionId); // the session id is a string, not an int[/php]

[hr]

Writing this I started to wonder if you meant to insert the user id of the user who owns the session. In that case you should call it user id, not session id :stuck_out_tongue:

If this is what you’re looking for you need to add the login script / wherever you set the session data. Do you set $_SESSION[‘session_id’] somewhere?

[hr]

[php] // get the form data

$foodid = htmlentities($_POST[‘foodid’], ENT_QUOTES);
$restid = htmlentities($_POST[‘restid’], ENT_QUOTES);
$regionid = htmlentities($_POST[‘regionid’], ENT_QUOTES);
$adminid = htmlentities($_POST[‘adminid’], ENT_QUOTES);

// INSERT into database[/php]

This is generally considered to be the wrong way around. Normally you would want to html escape variables on output, not input. The simple reason is that it’s much easier to know you’re safe if you escape every variable in the view.

Sponsor our Newsletter | Privacy Policy | Terms of Service