$_SESSION 变量只存储一些值

Question

我有一个名为 login.php 的登录页面，其中包含以下 php 代码：

  <?php
    session_start();
    include ('databaseconnect.php');

 if(isset($_POST['login'])){
   $username = mysqli_real_escape_string($db, $_POST['username']);
   $password = mysqli_real_escape_string($db, $_POST['password']);

 $query = "select Username, Userid, user_type from Users
           where username = '$username'
           and password = '$password' LIMIT 1";
 $result = mysqli_query($db, $query);

 if (mysqli_num_rows($result) == 1) {
    $username = mysqli_fetch_assoc($result);
 if ($username ['user_type'] == 'owner') {
        $_SESSION['username'] = $username['Username'];    
        $_SESSION['userid'] = $userid['Userid'];          
        $_SESSION['user_type'] = $user_type['user_type']; 
        header('location:adminmain.php');
}else{
    $_SESSION['username'] = $username['Username'];       
    $_SESSION['userid'] = $userid['Userid'];             
    $_SESSION['user_type'] = $user_type['user_type'];    
    header('location:usermain.php');
      }
     }
    }
   }
  ?>

假设一个人的“用户名”、“用户名”和“用户类型”从他们登录时起就在 $_SESSION 中。当一个人登录时，会有一个名为 create_topic.php 的页面，其中包含以下代码：

    <?php
      include ('dataconnect.php');

      $sql1= "SELECT Categoryid, Categoryname, Categorydescription 
             FROM Categories"; 
      $result1 = mysqli_query($db,$sql1);

   if (!$result1)
      {
     echo "No Category Found, Contact the administrator" </p>; 
      }

   function getPosts()
   {
    $posts = array();
    $posts[0] = $_POST['topic_subject'];
    $posts[1] = $_POST['topic_category'];
    $posts[2] = $_SESSION['username']; var_dump($_SESSION);
    return $posts;
   } 

   if (isset($_POST['createtopicbutton'])) 
    {  

   $data = getPosts();

   $sql2 = "INSERT INTO Topics(Topic_subject, Topic_category, Topic_by)          
              VALUES('$data[0]','$data[1]', '$data[2]')";

   $result2 = mysqli_query($db,$sql2);

   if ($result2)
    {
       echo  "<p> Topic Successfully Created </p>";
  }else{
       echo "<p> Topic NOT! Successfully Created, Contact the administrator 
              </p>. mysqli_error($db); 
       } 
      }
    ?>   

但是，当执行上述代码时，出现以下错误：

您的 SQL 语法有错误；检查手册 对应于您的 MySQL 服务器版本，以便使用正确的语法 靠近第 1 行的“不正确的整数值：”列“Topic_by” VALUES('t' 在第 1 行。

所以我做了一个 var_dump 我发现了这个：

 array (size=3)
 'username' => string 'Owner1' (length=6)
 'userid' => null
 'user_type' => null. 

所以我特别要问的是如何存储“用户名”但“用户 ID”和“用户类型”在 login.php 页面上声明时为空。您的帮助和帮助将不胜感激。

Answer 1

你的变量不正确，试试：

 if (isset($_POST['login']))
{
    $username = mysqli_real_escape_string($db, $_POST['username']);
    $password = mysqli_real_escape_string($db, $_POST['password']);

    $query = "select Username, Userid, user_type from Users
           where username = '$username'
           and password = '$password' LIMIT 1";
    $result = mysqli_query($db, $query);

    if (mysqli_num_rows($result) == 1)
    {
        $user = mysqli_fetch_assoc($result);
        if ($user ['user_type'] == 'owner')
        {
            $_SESSION['username'] = $user['Username'];
            $_SESSION['userid'] = $user['Userid'];
            $_SESSION['user_type'] = $user['user_type'];
            header('location:adminmain.php');
        } else
        {
            $_SESSION['username'] = $user['Username'];
            $_SESSION['userid'] = $user['Userid'];
            $_SESSION['user_type'] = $user['user_type'];
            header('location:usermain.php');
        }
    }
}

仅定义了 $username，$userid 和 $user_type 未定义，user_type 和 userid 是 $username 的索引而不是单独的变量。所以，改用$user，这样会更易读。

警告！

Little Bobby 说 your script is at risk for SQL Injection Attacks. 了解 prepared 对 MySQLi 的声明。即使escaping the string 也不安全！