User value in PHP not showing in one scenario

Jack_Tauson_Sr · February 2, 2017, 10:41pm

User submits username from p1.html, p2.php does the authorization work with db.php as required file and upon successful authorization, it directs the user to p3.php.

I am noticing strange behavior or may be I am making some mistake and not able to identify it right now.

Case 1 with No Errors:

When I comment out the line print "self.location='p3.php';"; in p2.php, my control after form submission is going to halt at db.php. And hence, I can see the username getting printed by the following line in db.php.

 echo"Test for db user variable in databaseconn.php:";
    var_dump($user);

p1.html

<form method="post" action= "p2.php"  name="lform">
  <span class="style1">User Name :</span>  
    <input type="text" name="user" size="25">
    <input type="submit" value="login">
</form>

p2.php

  <?php
    session_start();
   $user = $_POST["user"]; 
    $_SESSION['username'] = $user;
    require('../myDBFolder/db.php');
    $sql="SELECT * FROM $table_name_users WHERE username = \"$user\"";
    $result=mysqli_query($connection,$sql) or trigger_error("Couldn't Execute Query in page2.php: ". mysqli_error($sql));
    $num = mysqli_num_rows($result);
    
    if ($num != 0) {
    
    	print "<script>";
    	print "self.location='p3.php';";
    	print "</script>";
    
    } else {
    echo "<p>you're not authorized";
    }
    
    ?>

p3.php

<?php
session_start();

require('../myDBFolder/db.php');

$user = $_SESSION['username'];
$sql = "SELECT * FROM $table_name_data WHERE username = '$user'";
$result = mysqli_query($connection,$sql) or trigger_error("Could Not Execute  the Query ! :   ". mysqli_error($connection));

?>

db.php

<?php

$db_server = "localhost"; 
$db_name = "PracticeDB"; 
$db_user = $user;    // This is Line #21 from the error log for Undefined User variable

$table_name_data = "collegestudents";

echo"Test for db user variable in databaseconn.php:";
var_dump($user);


$connection = mysqli_connect($db_server,$db_user) or trigger_error("Could Not Connect to the Database :   ". mysqli_connect_error(), E_USER_ERROR);
$db = mysqli_select_db($connection,$db_name) or trigger_error("Could Not Select the Database : " . $db_name . ':' .mysqli_error($connection));
?>

SpikeZ · February 2, 2017, 11:16pm

PHP reads from top to bottom. If a variable isn’t defined in your script BEFORE you call it, it will generate an error.

So the first one will echo out fine as you are defining the variable $user before calling the require

$user = $_SESSION['username']; // user defined before calling
require('../myDBFolder/db.php'); // calling use -> no errors

require('../myDBFolder/db.php'); // calling BEFORE defining the variable 
$user = $_SESSION['username']; // error

SpacePhoenix · February 3, 2017, 6:57am

Also you’re a sitting duck for SQL Injection attacks. You need to use prepared statements whenever the data being used in a query has been submitted by the user.

Jack_Tauson_Sr · February 3, 2017, 3:17pm

Thanks. That solved my problem.

Jack_Tauson_Sr · February 3, 2017, 3:17pm

Thanks. Yeah, that’s my next task.

system · May 5, 2017, 10:17pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.