Adding session id to sql insert

i’m trying to do a pdo sql insert where some form data is inserted into the database, but along with the standard form data like the posts title I wanted to insert the users session[‘id’] which would go into the member_id column.
I have the query working accept for when I try to insert the session[‘id’], and was wondering the correct way to do this. The reason for this is so that when the data is displayed on the webpage I can display only posts by the logged user. I don’t get any errors, just nothing inserts. This is my query

                $title     = $_POST['title'];
                $summary   = $_POST['summary'];
                $content   = $_POST['content'];
                $member_id = $_SESSION['id']; // part i'm stuck on
                $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
                $sql = "INSERT INTO posts (`title`, `summary`, `content`, 'member_id') VALUES ('$title', '$summary', '$content', '$member_id')";
            }catch(PDOException $e){
                echo $e->getMessage();
            $pdo = null;
            echo "<script>alert('Successfully inserted data!')</script>";
            echo "<script>window.location='dashboard.php'</script>";

The session variable is an input to your code. You must validate it before using it. If it is a required input, at a minimum, you must test if it is set before ever displaying the ‘posts’ form or processing the form submission.

Have you examined what value it has? What does adding the following show -

echo '<pre>'; print_r($_SESSION); echo '</pre>';

Next, you should trim user submitted data, then validate it, storing user validation errors in an array using the field name as the main array index.

You should also be using a prepared query, so that any sql special characters in a value cannot break the sql query syntax, which is how sql injection is accomplished.

You should set the pdo error mode when you make the database connection, not at the point of executing a query.

You should only catch and handle database exceptions for user recoverable errors, such as when inserting/updating duplicate or out of range user submitted data. In all other cases, do nothing in your code, and let php catch and handle any database exception.

There’s generally no need to close database connections, free prepared query handles, or free result sets in your code since php will destroy all resources created on a page when your script ends.

At the end of successfully completing the post method form processing, you should redirect to the exact same url of the current page to cause a get request for that page. This will prevent the browser from trying to resubmit the form data should that page get reloaded or browsed back to. To display a one-time success message/alert, store it in a session variable, then test, display (or alert), and clear that session variable at the appropriate location in the html document.

Every redirect needs an exit/die statement to stop php code execution.

1 Like
Sponsor our Newsletter | Privacy Policy | Terms of Service