会话变量未以php和mysql形式插入数据库

Question

It is not inserting the session variables like name, id ,email, number like which is stored in $a,$b,$c,$d in pseller.php

This is my login page where i am checking username and password

login.php

  <?php


     error_reporting(E_ALL); // to see if there is error in code


     include "connect_to_mysql.php";
     if(isset($_POST['log']))
     {

      $user= $_POST['user'];
      $pass= md5($_POST['pass']);

      $sql=mysql_query( "select * from reg where username= '$user' AND password='$pass' AND category='product seller' LIMIT 1 ") or die( mysql_error());
      $data=mysql_num_rows($sql);
      if ($data == 1) {
         $_SESSION['name']=$name;
            $_SESSION['id']=$id;
            $_SESSION['phone_no']=$number;
            $_SESSION['email_id']=$email;

        header("location:pseller.php");

       }


    else {
    header("location:login.php?error");

         }
    }
    ?>



         <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
         <html xmlns="http://www.w3.org/1999/xhtml">
           <head>
              <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
                 <title> Log In </title>
                     <link rel="stylesheet" href="style.css" type="text/css" media="screen" />
                      </head>

                   <body>



        <div id="mainWrapper">

     <div id="pageContent"><br /><br /><br />
      <div align="right" style="margin-right:24px; color:#FF0000">

  <br /><br />
  <form id="form" name="form" method="post" action="login.php">
    <h2 style="padding-right:200px;">User Name:</h2>
      <input name="user" type="text" id="user" size="40" style="height:30px;" required placeholder="Enter Email"/>
   <br /><br />
    <h2 style="padding-right:210px;">Password:</h2>
   <input name="pass" type="password" id="pass" size="40" style="height:30px;" required/>
   <br />
   <br />
   <br />

   <img style="padding-right:190px;" src="generate.php"><br /><br />
   <input type="text" name="secure" size="10" required placeholder="Enter The Value" style="padding-right:210px; height:30px;">
       <br />
   <br />
   <br />
     <input type="submit" name="log" id="log" value="Log In"  style="padding-right:40px;" />





  </form>
  <p>&nbsp; </p>
   </div>
    <br />
     <br />
    <br />
   </div>

       </div>
        </body>
         </html>

This is pseller page where I am trying to store session values in variables then inserting in database. but session variables are not inserting data in database and showing the value of v_id v_number as 0 .

pseller.php

    <?php 
    // Parse the form data and add inventory item to the system

    include_once('connect_to_mysql.php');
    session_start();

   if (isset($_POST['p_name'])) {


       $target_dir = "pics/";
       $target_file = $target_dir . basename($_FILES["fileToUpload"]["name"]);
       $imageFileType = pathinfo($target_file,PATHINFO_EXTENSION);
       move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $target_file) ;
       $img_name = $_FILES["fileToUpload"]["name"];


        $a=$_SESSION['name'];
        $b=$_SESSION['id'];
        $c=$_SESSION['phone_no'];
        $d=$_SESSION['email_id'];

     $product_name = mysql_real_escape_string( $_POST['p_name']);
    $price = mysql_real_escape_string($_POST['price']);
    $category = mysql_real_escape_string($_POST['category']);
   $subcategory = mysql_real_escape_string($_POST['subcategory']);
   $category2 = mysql_real_escape_string($_POST['category2']);
    $details = mysql_real_escape_string($_POST['details']);
    // See if that product name is an identical match to another product in the system

  // Add this product into the database now
    $sql = mysql_query("INSERT INTO product (p_name, price, details, category, sub_category, category2, img_name, v_id, v_name, v_number, v_email, date) VALUES('$product_name','$price','$details','$category','$subcategory','$category2','$img_name','$b','$a','$c','$d',now())") or die (mysql_error());



   }
   ?>

Please help me to come out from here.

Answer 1

$_SESSION['id']=$id;
$_SESSION['phone_no']=$number;

only get updated if select with username and password has rowcount 1

Those become variables $b and $c in pseller.php

So if $user and $pass do not get you a row on select from db, you get junk in SESSION .

mysql_num_rows returns number of rows. You are doing LIMIT 3. So if you are 0, 2, or 3, session is in trouble . Why, because your if statement says =1.

Also, you are using a deprecated mysql_* function library and acting directly upon user-supplied values that can render sql injection attacks. Use mysqli or pdo, and see this .

Answer 2

Include session_start(); in your session_start(); in your login.php

$sql=mysql_query("select * from reg where username= '$user' 
AND password='$pass' AND category='product seller'") or die( mysql_error());

Inside the above query, Please make the changes.

Avoid making column names with spaces category='product seller'
Now echo the values under the SELECT * FROM query and the $a, $b, $c, $d to know if you REALLY are taking the values through to the next page. I am pretty much sure that you were not and also @Drew suggested, shift to msqli/PDO .

EDIT:

In your second page pseller.php try to echo and see what you're getting.

 echo   $_SESSION['name'];
 echo   $_SESSION['id'];
 echo   $_SESSION['phone_no'];
 echo   $_SESSION['email_id']; 

No luck? Okay let's just try it this way and see what happens;

 $sql=mysql_query("select * from reg where username= '$user' AND password='$pass'") or die( mysql_error());

      if ($sql) {
while($row=mysql_fetch_array($sql))
{
           echo     $row['name'];
           echo     $row['id'];
           echo     $row['phone_no'];
           echo     $row['email_id'];
 }   
    //        header("location:pseller.php");
           }

Now put the correct username and password (present in the database) and if you can see the echoed values, use sessions to store and use them later on also uncomment the header(); line and you are good to go.

Answer 3

Ok so judging from the question and discussion in the comments, you're lacking proper handling of the user data in login.php .

There are also a couple of other points that are a bit off in your code:

1. You should not the mysql library as it's deprecated. You should either use mysqli, which is a rather easy switch if you're already used to mysql, or use PDO
2. Your code is vulnerable to SQL injection. You should use prepared statements when using user input in SQL queries. More info here for example
3. MD5 is not a very secure option for passwords. You can read more here

Below is a simple example of the PHP part for login.php I threw together based on what information I could gather from your question. It isn't complete for your specific database structure and needs, but should help you forward with your problem:

<?php

  // Define database connection using mysqli
  $mysqli = new mysqli("localhost", "username", "password", "dbname");

  if(isset($_POST['log']))
  {
    $user= $_POST['user'];
    $pass= md5($_POST['pass']); // Should be replaced by secure alternatives

    // Define the SQL query string
    $sql = "SELECT id, name, phone_no, email FROM reg WHERE email = ? AND password = ? LIMIT 1";

    $stmt = $mysqli->prepare($sql); // Prepare the query string
    $stmt->bind_param("ss", $user, $pass); // Define prepared statement parameters

    // Execute the prepared stament
    if ($stmt->execute())
    {
        $result = $stmt->get_result(); // Get the result

        $data = $result->num_rows; // Get number of rows

        if ($data == 1)
        {
          $userdata = $result->fetch_array(MYSQLI_ASSOC); // Get an associative array from the result

          $_SESSION['name'] = $userdata['name'];
          $_SESSION['id'] = $userdata['id'];
          $_SESSION['phone_no'] = $userdata['phone_no'];
          $_SESSION['email_id'] = $userdata['email'];

          header("location:pseller.php");
        }
      }
      else
      {
        header("location:login.php?error");
      }
    }
?>