0

Here is where I am setting my session variables.

function validateUser()
{
session_regenerate_id (); //this is a security measure
$_SESSION['user'] = $_POST['username'];
$_SESSION['valid'] = 1;
$_SESSION['firstname'] = $firstname;
$_SESSION['lastname'] = $lastname;
}

This is what print_r ($_SESSSION) echos.

Array ( [user] => aboshart [valid] => 1 [firstname] => [lastname] => )

If I echo $firstname and $lastname I get the proper values. What am I doing wrong?

Improve this question
1
  • $_SESSION vars are usually considered trusted as it is the developer who specifies what data the value is. You are setting a $_SESSION var to an unsanitized user supplied var by not sanitizing or validating $_POST['username'] Please do so before you accidentally use $_SESSION['user'] somewhere it can cause harm like in a database query. I assume you want a secure app judging from your PHP code comment. Commented Nov 30, 2012 at 19:44

1 Answer 1

Reset to default
3

You're not passing $firstname or $lastname to the function.

function validateUser($firstname, $lastname)
{
    session_regenerate_id (); //this is a security measure
    $_SESSION['user'] = $_POST['username'];
    $_SESSION['valid'] = 1;
    $_SESSION['firstname'] = $firstname;
    $_SESSION['lastname'] = $lastname;
}

$_POST and $_SESSION should be within scope but the others aren't

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

What he said; plus, as a rule, watch the error log for notifications and warnings.
Thanks! this is exactly what I need. The $_POST variable is there just to demonstrate that the validateUser function is working to set session variables. I will not be using it in live code.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.