Problem with a session variable

I have a login form, the username and password that the user enters are saved in session variables. When I try to echo them it works. The problem is when I try to use them in a SQL query.

This works:

$sql3 = "SELECT whatever FROM table WHERE username='any_username_that_I_want'";

But this doesn’t:

$sql3 = "SELECT whatever FROM table WHERE username=$_SESSION['username']";

Is this normal? o_O

for security reasons, imho you should never store the user’s password in a session variable but that is beside the point.

out of curiosity, why are you storing the passowrd in a sesion var.?

anyway, back to your problem.

add the following red debugging lines and post back the results. this will show you the actual query being run.

$sql3 = "SELECT whatever FROM table WHERE username=$_SESSION['username']";
[COLOR=red]echo $sql3;[/COLOR]

The password was stored in a session variable just for debugging reasons, I forgot to mention that :slight_smile:

Back to the problem, I’ve done what you suggested and I get a blank page…

if you got a blank page, then the problem is not necessarily with your query.

there must be some code before

$sql3 = "SELECT whatever FROM table WHERE username=$_SESSION['username']";

that is causing your script to either terminate early or bypass the query.

Do you have;


on top of your page(s)?

good point :slight_smile: but even if it wasn’t there, the echo should have displayed at least part of the query if in fact the script gets to the query with or without session_start()

Then, let’s try to see what the problem is, try:

echo "This is the problem: ".mysql_error();

place that below your $sql3 query.

Before that line I just have this code:

    $conn = mysqli_connect('localhost', 'root', 'root', 'db_name');
      echo 'Database Error: ' . mysqli_connect_error() ;
    echo $_SESSION['username'];


I’ve tried this but I still get a blank page…

Pop the following at the very beginning of your script, and re-try. :wink:

ini_set('display_errors', true);

Still blank. I’m trying this on two different machines, so I don’t think there’s a problem with my server configuration.

Have you tried to put apostrophes around the session variable?

$sql3 = "SELECT whatever FROM table WHERE username=[COLOR="Red"]'[/COLOR]".$_SESSION['username']."[COLOR="Red"]'[/COLOR]";

You, sir, are a genius :smiley:

Just a simple question: why does it only work if you write

'". variable ."'

and not if you write

' variable '


If you take a look at the query, after the session variable have been parsed, if looks something like this:

SELECT whatever FROM table WHERE username='value_from_session'

Thats the result we are looking for, thats how SQL string values need to look.

When you build the query, you build it as a string variable, meaning you put “” around it.

$sql = [COLOR="Red"]"[/COLOR]SELECT whatever FROM table WHERE username='value_from_session'[COLOR="Red"]"[/COLOR]

The session variable also have either “” or ‘’ in it, because its an array.


That means you need to break out of the string, put in the variable, and then go back into the string. The . concatenates string’s.

The confusing issue here, is the mix of both PHP and SQL codes…
blue parts are PHP bits
red parts are SQL bits.

[COLOR="Navy"]$sql3 = "[/COLOR][COLOR="Red"]SELECT whatever FROM table WHERE username='[/COLOR][COLOR="Navy"]".$_SESSION['username']."[/COLOR][COLOR="Red"]'[/COLOR][COLOR="Navy"]";[/COLOR]
[COLOR="Navy"]echo $sql3;[/COLOR]

Do your self a favor, and echo the $sql3 variable, and see what it looks like when its parsed.

On a quick side note… if you have a simple variable, you don’t need to jump in and out of the SQL string…

$username = $_SESSION['username'];
$sql3 = "SELECT whatever FROM table WHERE username='$username'";
echo $sql3;

The result will be the same as before. but perhaps its a little bit easier to read.

Its not recommended, and wastes resources by adding more vairables… but if it helps you to understand what happens, then its ok to do it a few times like that.

Take a really good look at this page:

Very clear explanation, thank you :slight_smile: