Need help with session id and username from data base

$result = $mysqli->query(‘SELECT * FROM users WHERE username = ($_SESSION[“username”])’);

i can get to show username But it will not pull anydata

The username value is a string. If you had error handling for the database query, you would be getting an error about a non-existent column with the same name as the username value. A bunch of points -

  1. You ALWAYS need error handling for statements that can fail, so that you will know if and why they are failing. The simplest way of adding error handling for all the database statements that can fail - connection, query, prepare, and execute, is to use exceptions for errors and in most cases simply let php catch the exception, where php will use its error related settings to control what happens with the actual error information (database statement errors will ‘automatically’ get displayed/logged the same as php errors).
  2. Don’t put the username into the session variable upon login. Put the user id (autoincrement primary index), then query on each page request to get any other user data, such as the username, permissions, …
  3. Don’t put external, unknown, dynamic values directly into an sql query, where any sql special characters in a value can break the sql query syntax, which is how sql injection is accomplished. Use a prepared query instead. This would solve the current problem, if you are not going to do item #2 on this list.
  4. Switch to the much simpler and modern PDO database extension. The msyqli extension is overly complicated and inconsistent when dealing with prepared queries.
Sponsor our Newsletter | Privacy Policy | Terms of Service