[RESOLVED] Using a SESSION variable in a SELECT statemnt

cybastud

I'm trying to retrieve and display member information for the currently logged in user, below is what I have so far but its not working. The first part welcoming the user does work so the username is stored successfully in the session...any assistance will be appreciated.🙂

session_start(); // start a session
	if(!isset($_SESSION['username'])){ // check if the username is not stored in the session
	    header("location:index.php"); // redirect to index.php page
	}
	else {
		echo "Welcome to your account ", ($_SESSION['username']);

}

$SQL = "Select * FROM membership_info WHERE username = " + ($_SESSION['username']) + "";
	$result = mysql_query($SQL);

while($row = mysql_fetch_array($result)){ // loop part of the query that loops through each row
	$member_id=$row['member_id']; 
	echo "<tr><td>"; 
	echo $row['title']; 
	echo "</td><td>"; 
	echo $row['name']; 
	echo "</td><td>"; 
	echo $row['surname']; 
	echo "</td><td>"; 
	echo $row['id'];  
	echo "</td><td>";
	echo $row['bank'];  
	echo "</td><td>";
	echo $row['card'];  
	echo "</td><td>";
	echo $row['debit'];  
	echo "</td><td>";
	echo $row['member_type'];

bradgrafelman

String concatenation in PHP is done using a period, not a plus sign. See the manual page [man]operators.string[/man] for more info.

cybastud

Hi. Thanks

I tried this now

$SQL = "Select * FROM membership_info WHERE username = ".($_SESSION['username'])."";

but its still not displaying the username's details that is stored in the session.

Any ideas?

traq

strings need to be quoted in SQL.

$SQL = "Select * FROM membership_info WHERE username = '".$_SESSION['username']."'";

further,
you need to escape strings you use in SQL statements, so you don't accidentally create errors (for example, if your [font=monospace]$SESSION['username'][/font] contains a single-quote, it will break your query):

$SQL = "Select * FROM membership_info WHERE username = '".mysql_real_escape_string( $_SESSION['username'] )."'";

further,
stop using the mysql extension! It is deprecated and will be removed in the future. [man]mysqli[/man] or [man]PDO[/man] are recommended instead.

cybastud

Its working! Thanks🙂