0

I have a PHP file (approvals.php) that only gets executed on an AJAX call. It has a postgresql query that searches a table and uses a customer id, which is set as a session variable. Problem is, it seems I can't access this session variable in this file. My query is like:

$query = "SELECT merchant_id FROM ndovu_merchant_users WHERE customer_id={$_SESSION['customer_id']}";
$result = pg_query($query);

I have tried to echo the session variable $_SESSION['customer_id'] but nothing. However on passing a fixed value to the query, it returns a result.

Improve this question
8
  • 1
    Where do you assign the value to the session? Commented Oct 10, 2014 at 8:48
  • 2
    have you added session_start(); at the top of your approvals.php file? Please show us more code of your file. Commented Oct 10, 2014 at 8:49
  • Yes I have but still doesn't work. The session variables were set in another file. Commented Oct 10, 2014 at 8:54
  • @Naruto the session variable is assigned in a different file that handles user login Commented Oct 10, 2014 at 8:57
  • @Denny That doesn't matter. SESSIONS carry on through the application until they timeout, or are killed. Commented Oct 10, 2014 at 8:58

3 Answers 3

Reset to default
1

In your case, i would have checked if the session is set in the first place. 

//this should be put at the header of the page
session_start();

  if(isset($_SESSION['customer_id']) && !empty($_SESSION['customer_id'])){
        echo $_SESSION['customer_id'];
    }else{
        echo 'session is not set';
    }
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You need to place session_start(); above the code section where you use it; the top of the page is usually the best place to place it.

Also, it should be noted; you have what is potentially a large security flaw here, by passing in unescaped data.

You should look into using prepared statements if possible; or at least escape your inputs.

Improve this answer

2 Comments

Why escape? We know an id is always numerical, right? ctype_digit() or a regular expression match ^[0-9]+$.
That would work perfectly fine yes. In my mind, typecasting, or checking for type is a form of escaping anyway. But, I still stand by what I said about prepared statements; using them would be the best still. I believe that MySQL (and other databases most likely too), cache prepared statements better than normal queries
0

The user session is not accesed when the script is called by an ajax request. The session token wich php requires to obtain the session data is stored in the client side(user) inside a session cookie. You can read more here https://stackoverflow.com/a/1535712/3922692

Just pass the user id with GET or POST in the ajax request.

There is not enough code presented but if you realy need to get the id from the session you can use an iframe (which is not recommended), process fetch data server side and output it in the iframe.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.