Jump to content

echo whats in a session variable

deansaddigh

By deansaddigh
in PHP Coding Help

 Share

Recommended Posts

waynewex Advanced Member

waynewex

Posted
Posted

Yes. But make sure that you use htmlentities in order to sanitise your output. You don't want the user entering HTML or JavaScript as their username, only to see it being executed everytime your script outputs the username.

 

echo htmlentities($_SESSION['username'],ENT_QUOTES,"utf-8");

 

You should also make sure that the session variable actually exists:

 

<?php
if(isset($_SESSION['username'])){
     //print it out
}
?>

Link to comment
Share on other sites
deansaddigh Advanced Member

deansaddigh

Posted
  • Author
Posted

i did test it and it didnt work, i should of said my bad

:-[

 

heres my session start

 

<?
session_start();
if(!$_SESSION['username'] ){
header("location:login.php");
}

 

here is where the sessions get created

// Register $myusername, $mypassword and redirect to file "login_success.php"
			$_SESSION['username']; 
			$_SESSION['password']; 
			header("location:add_product_form.php");

 

any ideas?

Link to comment
Share on other sites
waynewex Advanced Member

waynewex

Posted
Posted

To assign a variable to a $_SESSION variable, you need to do something like this:

 

<?php
//assuming $username has been gotten from the DB
$_SESSION['username'] = htmlentities($username,ENT_QUOTES,"utf-8");
?>

 

In your code, you're not assigning anything to your session variables.

Link to comment
Share on other sites
deansaddigh Advanced Member

deansaddigh

Posted
  • Author
Posted

ok i am new so bare with me, i changed the session to hold the variables.

 

//Provent sql injections
			$username = stripslashes($username);
			$password = stripslashes($password);
			$username = mysql_real_escape_string($username);
			$password = mysql_real_escape_string($password);

			//Sql
			$query="SELECT * FROM users WHERE UserName='$username' and Password='$password'";
			$result=mysql_query($query);

			// Mysql_num_row is counting table row
			$count=mysql_num_rows($result);
			// If result matched $myusername and $mypassword, table row must be 1 row

			if($count==1){
			// Register $myusername, $mypassword and redirect to file "login_success.php"
			$_SESSION['username'] = '$username';
			$_SESSION['password'] = '$password'; 
			header("location:add_product_form.php");
			}
			else {
			echo "Wrong Username or Password";
			}
			?>

 

im assuming those sessions should hold their username and password now, but i am still getting an error

Link to comment
Share on other sites
cags Member

cags

Posted
Posted

PHP doesn't evaluate variables stored in a string delimited by single quotes, so...         

 

$_SESSION['username'] = '$username';
$_SESSION['password'] = '$password';

 

Will result in a username of $username and a password of $password.

Link to comment
Share on other sites
waynewex Advanced Member

waynewex

Posted
Posted

Change

 

$_SESSION['username'] = '$username';
$_SESSION['password'] = '$password';

 

to

 

$_SESSION['username'] = $username;
$_SESSION['password'] = $password;

 

In your code, you're encapsulating your variables in single quotes. In PHP, single quotes will give you the literal of what is between those single quotes, meaning your username and password session variables will always literally be $username and $password and not what is actually in those variables. As opposed to double quotes.

 

Also - why are you storing their password in a session variable? That is a major security concern.

Link to comment
Share on other sites
deansaddigh Advanced Member

deansaddigh

Posted
  • Author
Posted

ok i have changed it all.

so my pages are as follows

 

process login

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<?php
include '../includes/connection.php';
?>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="shortcut icon" href="../images/animated_favicon1.gif" />
<link rel="stylesheet" type="text/css" href="../css/layout.css" /> 



<title>Nextdayfrags.co.uk</title>
</head>

<body>
<!--wrapper to hold site-->
    <div id="wrapper">
    	
      <!--Logo holder-->
      <div id="header"></div>
        
        <div id="left">
       		<div class="nav">    
       			  	
	        	<ul>
					<li><a href="#">SPS frags</a></li>
					<li><a href="#">LPS frags</a></li>
					<li><a href="#">Soft Coral frags</a></li>
					<li><a href="#">Coral Frag packs</a></li>
					<li><a href="#">SPS Coral Colonies</a></li>
					<li><a href="#">LPS Coral Colonies</a></li>
	        		<li><a href="#">Anemones</a></li>
	        		<li><a href="#">Clean Up Critters/ Inverts</a></li>
	        		<li><a href="#">Coral Food</a></li>
	        		<li><a href="#">Reef Accesories</a></li>
	        		<li><a href="#">Gift Vouchers</a></li>
	        	
				</ul>
        	<div align="center">
        	 
			 <img src="images/paypal.png"/> 	
        		 
        	</div>
        	</div>
        </div>
        
        	<div id="right">
        
        		<?php
        		//Store details in variables 
        		$username=$_POST['username'];
			$password=$_POST['password']; 

			//Provent sql injections
			$username = mysql_real_escape_string($username);
			$password = mysql_real_escape_string($password);

			//Sql
			$query="SELECT * FROM users WHERE UserName='$username' and Password='$password'";
			$result=mysql_query($query);

			// Mysql_num_row is counting table row
			$count=mysql_num_rows($result);
			// If result matched $myusername and $mypassword, table row must be 1 row

			if($count==1){
			// Register $myusername, $mypassword and redirect to file "login_success.php"

			$_SESSION['username']= $username;
			header("location:add_product_form.php");
			}
			else {
			echo "Wrong Username or Password";
			}
			?>





        	
		</div>
          		



          
          
            
           
            
      
        
      
</div>
    
    
   

</body>
</html>

 

page where i actually use the session to print out username

 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<?
session_start();
if(!$_SESSION['username'] ){
header("location:login.php");

}




?>


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<?php
include '../includes/connection.php';
?>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="shortcut icon" href="../images/animated_favicon1.gif" />
<link rel="stylesheet" type="text/css" href="../css/layout.css" /> 


<title>Nextdayfrags.co.uk</title>
</head>

<body>
<!--wrapper to hold site-->
    <div id="wrapper">
    	
      <!--Logo holder-->
      <div id="header"></div>
        
        <div id="left">       		 
       <div align="center">	
       	<img src="../images/paypal.png" alt="Paypal verified" /> 
       </div>
        </div>
        
        <div id="right">
   			
   			<?php 
   				
   				echo 'welcome';
   				echo $_SESSION['username'];
   				
   			$message = $_GET["message"];
   			
   			
   				if ( $message != "" )
   				{
   				echo $message;
   				}
   			
   			?>
   			
   			
		<form id="form" name="form" method="post" enctype="multipart/form-data" action="../admin/process_product.php">
		<fieldset>
		<legend>Use this form to add a product</legend>
		<h1>Add Product</h1>
		<p>Please use this form to add a product</p>

		<label>Product Name</label>
		<input type="text" name="name"/><br /><br />


		<label>Product Catagory</label>
		<select name ='category'>
		  <option>LPS frags</option>
		  <option>SPS frags</option>
		  <option>Soft Coral frags</option>
		  <option>Coral Frag packs</option>
		  <option>SPS Coral Colonies</option>
		  <option>LPS Coral Colonies</option>
		  <option>Anemones</option>
		</select><br /><br />

		<label>Product Quantity</label>
		<input type="text" name="quantity"/><br /><br />

		<label>Product Price</label>
		<input type="text" name="price"/><br /><br />

		<label>Product Description</label>
		<textarea cols="30" rows="4" name="description"></textarea><br /><br />

		 <input type="hidden" name="MAX_FILE_SIZE" value="500000000" />
             <label>Add Picture:</label>  <input name="uploadedfile" type="file"  /><br /><br />
            	
             <label>Video Embed code</label>
		<textarea cols="30" rows="4"  name="video"></textarea><br /><br />
            			
		<button type="submit" class="submit">Add Product</button>

		</fieldset>
		</form>

	</div>
   			
        	
       
          		
     </div>        
      

    
    
   

</body>
</html>

 

But i am now getting this error

 

Notice: Undefined variable: _SESSION in C:\wamp\www\Php Shoping cart\admin\add_product_form.php on line 48

 

I appolagise for my poor coding skills,  and thanks for your patiance

 

Link to comment
Share on other sites
jamesxg1 Advanced Member

jamesxg1

Posted
Posted

Hiya,

 

I'm not that good at php but from what i do know apparently you should not use short tags.

 

<?
session_start();
if(!$_SESSION['username'] ){
header("location:login.php");

}


   

?>

 

to

 

<?php session_start();

if(!$_SESSION['username'] ){
header("location:login.php");

}
?>

 

James.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.