Monday, 2 January 2017

html - session variables are not inserting in database in php and mysql form



It is not inserting the session variables like name, id ,email, number like which is stored in $a,$b,$c,$d in pseller.php



This is my login page where i am checking username and password




login.php





  

     error_reporting(E_ALL); // to see if there is error in code


     include "connect_to_mysql.php";
     if(isset($_POST['log']))

     {

      $user= $_POST['user'];
      $pass= md5($_POST['pass']);

      $sql=mysql_query( "select * from reg where username= '$user' AND password='$pass' AND category='product seller' LIMIT 1 ") or die( mysql_error());
      $data=mysql_num_rows($sql);
      if ($data == 1) {
         $_SESSION['name']=$name;
            $_SESSION['id']=$id;

            $_SESSION['phone_no']=$number;
            $_SESSION['email_id']=$email;

        header("location:pseller.php");

       }


    else {
    header("location:login.php?error");


         }
    }
    ?>



         
         
           

              
                  Log In 
                     
                      

                   



        



     



      


  

  

    
User Name:

      
   

    
Password:


   
   
   
   

   

   
       
   
   

     





  

  
 


This is pseller page where I am trying to store session values in variables then inserting in database. but session variables are not inserting data in database and showing the value of v_id v_number as 0.





pseller.php




        // Parse the form data and add inventory item to the system

    include_once('connect_to_mysql.php');
    session_start();


   if (isset($_POST['p_name'])) {


       $target_dir = "pics/";
       $target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
       $imageFileType = pathinfo($target_file,PATHINFO_EXTENSION);
       move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file) ;
       $img_name = $_FILES["fileToUpload"]["name"];



        $a=$_SESSION['name'];
        $b=$_SESSION['id'];
        $c=$_SESSION['phone_no'];
        $d=$_SESSION['email_id'];

     $product_name = mysql_real_escape_string( $_POST['p_name']);
    $price = mysql_real_escape_string($_POST['price']);
    $category = mysql_real_escape_string($_POST['category']);
   $subcategory = mysql_real_escape_string($_POST['subcategory']);

   $category2 = mysql_real_escape_string($_POST['category2']);
    $details = mysql_real_escape_string($_POST['details']);
    // See if that product name is an identical match to another product in the system

  // Add this product into the database now
    $sql = mysql_query("INSERT INTO product (p_name, price, details, category, sub_category, category2, img_name, v_id, v_name, v_number, v_email, date) VALUES('$product_name','$price','$details','$category','$subcategory','$category2','$img_name','$b','$a','$c','$d',now())") or die (mysql_error());



   }

   ?>


Please help me to come out from here.


Answer



Ok so judging from the question and discussion in the comments, you're lacking proper handling of the user data in login.php.



There are also a couple of other points that are a bit off in your code:





  1. You should not the mysql library as it's deprecated. You should either use mysqli, which is a rather easy switch if you're already used to mysql, or use PDO

  2. Your code is vulnerable to SQL injection. You should use prepared statements when using user input in SQL queries. More info here for example

  3. MD5 is not a very secure option for passwords. You can read more here



Below is a simple example of the PHP part for login.php I threw together based on what information I could gather from your question. It isn't complete for your specific database structure and needs, but should help you forward with your problem:




  // Define database connection using mysqli

  $mysqli = new mysqli("localhost", "username", "password", "dbname");

  if(isset($_POST['log']))
  {
    $user= $_POST['user'];
    $pass= md5($_POST['pass']); // Should be replaced by secure alternatives

    // Define the SQL query string
    $sql = "SELECT id, name, phone_no, email FROM reg WHERE email = ? AND password = ? LIMIT 1";


    $stmt = $mysqli->prepare($sql); // Prepare the query string
    $stmt->bind_param("ss", $user, $pass); // Define prepared statement parameters

    // Execute the prepared stament
    if ($stmt->execute())
    {
        $result = $stmt->get_result(); // Get the result

        $data = $result->num_rows; // Get number of rows


        if ($data == 1)
        {
          $userdata = $result->fetch_array(MYSQLI_ASSOC); // Get an associative array from the result

          $_SESSION['name'] = $userdata['name'];
          $_SESSION['id'] = $userdata['id'];
          $_SESSION['phone_no'] = $userdata['phone_no'];
          $_SESSION['email_id'] = $userdata['email'];

          header("location:pseller.php");

        }
      }
      else
      {
        header("location:login.php?error");
      }
    }
?>

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

c++ - Does curly brackets matter for empty constructor?

Those brackets declare an empty, inline constructor. In that case, with them, the constructor does exist, it merely does nothing more than t...