Are people just going to start substituting mysql_* with sqlsrv_ now? It’s not going to excuse the fact that you’re wide to SQL Injections. I mean you’re still stuffing the raw data into the query string like it’s 1980. Why are people so backwards with PHP?
Anyways, onto your main concern. Might be this bit
email = '" .$_SESSION[ 'email']. "'";
If you were ACTUALLY doing it correctly, it would of been.
$query = "SELECT image FROM u_login where email = " . $_SESSION[ 'email'];
There’s ABSOLUTELY no reason to add "'" into the query after a variable if the ending part has no more legitimate use.
Using PDO, you just do.
$sql = "SELECT image FROM u_login WHERE email = :email";
$prepare = $db->prepare($sql);
$parameters = array(':email' => $email);
$prepare->execute($parameters);
And with mysqli_*, you do.
$sql = "SELECT image FROM u_login WHERE email = ?";
$prepare = $db->prepare($sql);
$prepare->bind_param('s', $email);
$prepare->execute();
Your problem might also be because you haven’t declared session_start on sample.php. Make sure it’s declared on all files that you want to use $_SESSION on.
Use the View Source feature in your browser and examine the html where the header should be. You might just see the include statement which implies that php is not enables on your server. Or you might see some errors.
Your header.php is flawed in that it includes both CSS and HTML. The CSS part belongs in the <head> section of your document whilst the HTML belongs in the <body> section.
In HTML5 you can use style tags in the body element. Even in most older browsers it will work just fine. Not something to be encouraged perhaps but it will work. I’m guessing that php is not enabled on the server.
Can you point me to some documentation to back that up?
There is no doubt that it works, I see it all the time in various sites, but I don’t believe it is valid html. I think it’s just that modern browsers are very forgiving and good at interpreting broken and invalid code.
Do you have any error reporting?
What errors are you getting?
The error reporting or log should tell you what is going wrong.
That is one possibility, the other is that the include is working, but the code within it is failing.
Looking at the source of the resulting page will quickly tell you which is the case.
It happens. And what was the result of viewing the source of your browser page?
Trying to help you is a two way street. There are several things that could be wrong and without your feedback, helping you is pretty much a hot or miss type thing.
Guess I can’t because it looks like I was wrong. It is easy to find people who say it is okay but looking at the the actual specifications indicates that it is not. I even tried the w3 validator. html5 did introduce a “scoped” attribute which would be style legal inside the body but the attributes does not appear to be supported.
No, I’ve never used legacy functions before and I will mostly never. So if the syntax is wrong, most likely, that’s because I have never used it before since it’s a legacy function. I just assumed that most noobies tend to Copy&Paste from other sources online and they wouldn’t know what they were copying and pasting. Still, having double quotes or single quotes after a variable when the variable has nothing connecting to it is redundant hence why I said what I said.
These 2 lines basically output the same value. However, how does it make any sense adding double quotes and single quotes like this when the ending part is just the variable itself?
$var = 'I am just a var and my value is ' . $_SESSION['var'];
$var = 'I am just a var and my value is ' . $_SESSION['var'] . '';
This line below makes more sense than the last line above.
$var = 'I am just a var and my value is ' . $_SESSION['var'] . ', but I am just another block.';
So that’s what I just assumed OP was doing.
You should go back and re-read OP’s post. It has PHP’s sqlsrv_query function. I am starting to see a trend where half of the PHP users who have been using the old and dead mysql_* functions are now migrating to a different database API. And they aren’t going to change their ways. They are still using legacy codes (stuffing raw data in queries and not preparing them). It’s sad that people are also doing this with PDO as well. They can’t seem to get a grasp on how to secure their codes from attacks.
This is not about legacy functions. This is about plain sql.
$sql = "SELECT * FROM users WHERE email = joe@example.com ";
$sql = "SELECT * FROM users WHERE email = 'joe@example.com' ";
One of the above is valid sql, one is not.
Are you seriously suggesting that developers are moving from mysql to Microsoft SQL Server just because php dropped a legacy mysql interface? sqlsrv is not a generic database interface, it is specific to Microsoft SQL Server just like mysql_ was specific to mysql.