Having trouble with PHP Session variable

[karan]

I have three files: The first is "main.php", the code looks like this:

<html>
	<div style=margin:0 auto align=center >
		<form action = "options.php" method = "POST" />
			<p> <h3> Enter Phone Number: </h3> 
                              <input type = "text" name = "cust_phone" </p>
			<p> <input type = "submit" value = "Submit" </p>
		</form>
	</div>
</html>

Following is the code for "options.php"

<?PHP
	session_start();
?>
<html>
	<body> Details of: <?php
		echo htmlentities($_POST["cust_phone"]) . "<br>";
		$link = oci_connect('hd','hd', 'localhost/mydb');
		if(!$link) {
			$e = oci_error();
			exit('Connection error	' . $e['message']);
		}
		$_SESSION['var'] = htmlentities($_POST["cust_phone"]);
		$ph = htmlentities($_POST["cust_phone"]);
		$q1 = "select CUST_ID from customer where CUST_PHONE = :bv_ph";
		$q1parse = oci_parse($link, $q1);
		oci_bind_by_name($q1parse, ':bv_ph', $ph);
		
		oci_execute($q1parse);
		oci_fetch($q1parse);
		$res = oci_result($q1parse, 'CUST_ID');
		if(!$res) {
			echo "No Order found. New Order?";
		}
		?>
		<form action = "" method = "POST" >
			<input type = "radio" name = "option" value = "Yes" checked> Yes <br>
			<input type = "radio" name = "option" value ="No"> No <br>
			<input type = "submit" value = "submit">
		</form>
		<?php
			
			if(isset($_POST['option']) && ($_POST['option']) == "Yes") {
					header("Location: newcustomer.php");
			}
			elseif(isset($_POST['option']) && ($_POST['option']) == "No") {
				header("location: main.php");
			}
			
		?>
		<table border = "black">
			<tr> 
				<th> ADDRESS </th>
				<th> AREA </th>
			</tr>
		<?php
			
			$q2 = "select A.ADDRESS, A.AREA from customer c 
              join customer_address ca on C.CUST_ID = CA.CUST_ID
              join address a on A.ADDRESS_ID = CA.ADDRESS_ID where C.CUST_ID = :id_bv";
			$q2parse = oci_parse($link, $q2);
			oci_bind_by_name($q2parse, ':id_bv', $res);
			oci_execute($q2parse);
			while($row = oci_fetch_array($q2parse)) {
					echo "<tr><td>" . htmlentities($row["ADDRESS"]) . "</td>";
					echo "<td>" . htmlentities($row["AREA"]) . "</td></tr>";
            }
             oci_free_statement($q2parse);
             oci_close($link);
         ?>
         </table>
  	</body>
</html>

The "newcustomer.php" code looks like this:

<?php
session_start();
?>
	<html>
		<body>
		<?php
		
		if(!isset($_SESSION['var'])) { 
			echo "variable not set";
		}
		print_r($_SESSION);
		?>
			<form action = "order.php" method = "POST" >
			<p> Phone Number: </p>
			<p> Enter Address: <input type = "text" name = "address" /> </p>
			<p> Enter Area: <input type = "text" name = "area" /> </p>
			</form>
			
		</body>
	</html>
		

I want to use the phone number entered by the user in main.php in newcustomer.php. The sessions desn't work. I am unable to even display the value. I want to insert that phone no. in my oracle database. Please Help.

[Jacques1]

Unfortunately, our mind-reading skills are limited, so "doesn't work" doesn't tell us anything.

 

Does the session value get set? Check the session file in the save path. Does the session get resumed? Check the session ID in the session cookie and compare it with the expected ID.

 

Your overall programming style is rather flaky with this random use of the htmlentities() function (which is stricly for HTML-escaping), random formatting, random jumps from PHP to HTML to SQL and back again, total lack of validation. There's definitely room for improvement.

[karan]

By "doesn't work" I mean that the program runs perfectly except it does not display the session variable. The session is set as it does not display the error messsage too (variable not set).

I don't know how to check the session id and all that you mentioned. I am very new to PHP. I want to use the phone number entered by the user in "main.php". Check weather the number exists in the database or not. If not then add it along with other details in the database. The code certainly needs improvement like you mentioned about validation and other things. That can be done later too. For now the focus is on getting the value of the session variable. The output when I run the "newcustomer.php" is as follows:

 

Array ([var] =>)

Phone Number:

Enter Address:

Enter Area:

 

That's exactly what I get as output when I enter a phone number which is not present in the database.  

[Jacques1]

So your sessions work just fine. You simply overwrite the previous value with the nonexistent $_POST["cust_phone"] parameter when you submit the second form. This triggers the code of options.php all over again.

 

Long story short: No, you cannot fix your code later. You need to do it now. Organize your scripts and don't mix different forms and languages.

[karan]

So, how do I solve the problem? I have only one form in "options.php". How do I not overwrite it? Can I write the form and the php wherever I want? The order does not matter?

Edited June 6, 2017 by karan

[karan]

It will be really great if you could just do it for me once. I'll follow the technique in all my later code.Thanks

[ginerjm]

You really need to think about how to program.  You have all these pieces that could be just one script.  Why have a php script that doesn't even contain php code?

 

You need to start by learning, not by (apparently) copying code and trying to make it work.  Find a good tutorial and start at the beginning.

[karan]

 I have not copied code, Its just scattered. I will re organize all this code but first I need to solve the problem at hand. 

[Jacques1]

Again: Organizing the code is the solution. This is what you need to do to solve your problem. It's doesn't make sense to come up with a workaround for your current code, then throw it all away and finally implement the real solution. Do it now.

 

Before you start writing code, you should come up with a proper concept which is both user-friendly and technically clean. How about this:

• One script deals exclusively with the user(?) entering their telephone number. This script displays the form, validates the input, checks if the number is registered, stores it in the session and also shows a link to the "new user" form.
• Another script takes care of new user registrations. This again includes input validation and database queries.
• A third script is for displaying the data of an existing user.

This completely separates the different aspects, so there are no collisions between the different forms. One script takes care of one form.

[karan]

ok yeah, makes sense. I will definitely try that and see weather it solves the problem.Thanks!

[dodgeitorelse3]

Wouldn't the inputs in main.php need closing brackets?

[Jacques1]

As crazy as the syntax may look like, it's actually very close to valid legacy HTML. Besides that, browsers can recover from almost anything.

 

Of course that doesn't mean writing HTML markup which looks like your cat jumped on the keyboard is in any way recommended.

[karan]

Yeah there should be closing brackets too but its ok I guess. I probably forgot it while writing or must have been a typo.

[mac_gyver]

some tips - 

 

1) you need to set php's error_reporting to E_ALL and display_errors to ON, in the php.ini on your development system, to get php to help you. the current problem would be throwing an undefined index error upon the attempt to assign the post variable to the session variable, at the point in time the post variable doesn't exist. this error message, upon the second form submission, but not the first, would have alerted you that your program is not receiving the input that it expects.

 

2) each section of form processing code needs to be conditionally executed, only when the expected form has been submitted. you need logic to detect that a post method form has been submitted at all, and if code on any page handles more than one form, further logic to detect which form has been submitted. this will prevent any section of form processing code from being executed when there isn't any form data to use as its input.

 

3) all the post method form processing code needs to be near the top of your file, before you start the html document. the output/result from the form processing code will either be errors (stored in an array), that need to be displayed, or successful completion of the form processing code. at the point you are at now, just displaying a success message and providing a navigation link to the next step in the process would suffice when the form processing code is successful.

 

4) as already stated, the form and form processing code for any particular step needs to be on the same page. this will allow you to re-display the form when you display any validation errors for that form's data.

 

5) you need to completely separate your database dependent code (that knows how to query for and retrieve data) from your presentation code (that knows how to produce the output from the data.) this will make it easier to design, write, and test your code or to change the database dependent code for a different database type. the way to do this is to simply fetch the data from any query into an appropriately named php variable (an array variable for a set of data) and then just use that variable as the input to the presentation code.

 

next, what you are trying to do, doesn't make complete sense -

 

1) just knowing a phone number (or a bot script submitting sequential numbers) should not be enough to identify/authenticate who a visitor is and allow access to any personal data. you need an actual user authentication system, with a username/email and a password to authenticate who a visitor is. at the point of needing the personal data, you need to give the option (navigation links) of logging in, for an existing user, or registering, as a new user. the user authentication system would store the user id in a session variable. you would query for any personal data using the user id from this session variable.

 

2) unless it is due to wrong wording/copy-paste in the output - "No Order found. New Order?", just the existence of a record in the customer table doesn't indicate the existence or absence of an order. the existence of a record in the customer table just indicates the existence of a customer, who can either have or not have any order(s). the existence of a cart or an order is dependent on the existence of cart/order data for the current visitor.