Have I been sold a bill of goods?

I had a registration process with multiple iterations of the same page, with the $_POST data determining what form to print for the next bit of user input. At each stage, I was inserting a record into a DB.

I decided, with help from folks here, that I needed to store the data until the user, on the last iteration of the page, had a chance to confirm the whole thing, and then insert all the records into the DB at once. This was to be my big introduction to the $_SESSION variable.

Well, after I assign $_POST values to $_SESSION elements, I can't read them. They're not there. I have done extensive testing. What am I doing wrong???? Is there something besides calling session_start() at the top of the page that I need to do, to initialize the $_SESSION variable?

The first part of my script is below. You'll see my debugging code at the bottom of the switch statement. I'm going nuts.
<?php
session_start();

// make sure they got here normally
if (!$trngSessID) {
echo "<meta http-equiv=\"refresh\" Content=\"0;URL=index.php\">";
exit;
}
print '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Washington Workforce Association - Training Registration: '.$arrayTrngSess['SessionTitle'].'</title>
<meta name="description" content="">
<meta name="keywords" content="">
<meta name="author" content="Washington Workforce Association">
<meta name="generator" content="AceHTML 6 Pro">
<link rel="stylesheet" href="http://www.washingtonworkforce.org/styles/style.css" type="text/css">';
require("/usr/www/users/washing3/includes/embed_menu_style.inc");
// now open the db
$connx = connect_db("washing3_Training") or die("Unable to connect to database.");
// use the trngSessID to get display info
$qryTrngSess = mysql_query('SELECT tblSessions.* FROM tblSessions WHERE tblSessions.SessionID = '.$trngSessID.';');
$arrayTrngSess = mysql_fetch_array($qryTrngSess, MYSQL_ASSOC);
// let's get the rest of the HTML header in there
// and the title and menu bars, etc...
print '</head><body bgcolor="#FFFFFF">';
if ($_COOKIE['view']=='public') {
require("/usr/www/users/washing3/includes/start_public_page.inc");
}
else {
require("/usr/www/users/washing3/includes/start_prof_page.inc");
}

print '<h2>'.$arrayTrngSess['SessionTitle'].'</h2>
<hr size="3" color="#0000B7">
<div class="floatrightcentered">
<a href="'.$arrayTrngSess['FlyerURL'].'" alt="Download event flyer" target="_blank"><b>Download Event Flyer</b></a>
<br><br><a href="'.$arrayTrngSess['MapquestURL'].'" alt="View map to training site" target="_blank"><b>View map to training site</b></a>
<br><br><a href="cancellation_policy.php" alt="Read cancellation policy" target="_blank"><b>Payment and cancellation policy</b></a>
</div>
<h3>A WWA sponsored training presented by</h3>
<h2>'.$arrayTrngSess['PresenterFName'].' '.$arrayTrngSess['PresenterLName'].'</h2>';

// everything after this is in functions called by this switch statement, depending on $_POST data
// the process in this control structure starts from the bottom up
switch (TRUE) {
case isset($_POST['cancel']):
cancel();
break;
case isset($_POST['confirm']):
confirm();
break;
case isset($_POST['update']):
update();
break;
case isset($_POST['edit']):
edit();
break;
case isset($_POST['finished']):
insert_partic_print_partic_form();
break;
case isset($_POST['add_another']):
insert_partic_print_partic_form();
break;
case isset($_POST['reg_org']):
insert_org_print_partic_form();
break;
case $_POST['theLoc']:
$_SESSION['LocationID'] = $_POST['theLoc'];
print_org_form(); // I know that if I see this form, the value assignment above it has been executed
break;
case !$_POST:
$_SESSION['trngSessID'] = $trngSessID;
$_SESSION['SessionCost'] = $arrayTrngSess['SessionCost'];
print_intro_form();
break;
}
// debugging
if (isset($_POST['theLoc'])) {
print '<h3>$_POST["theLoc"] = '.$_POST['theLoc'].'</h3>';
}
else {
print '<h3>No $_POST!</h3>';
}
if (isset($_SESSION['LocationID'])) {
print '<h3>'.$_SESSION['LocationID'].'<br>'.$_SESSION['trngSessID'].'<br>'.$_SESSION['SessionCost'].'</h3>';
}
else {
print '<h3>No $_SESSION["LocationID"]!</h3>';
}
// **************************************************************************************************** **************
function print_intro_form() {
// etc. etc. etc.

just curious, didn't read the entire thing yet, but


<?php
session_start();

// make sure they got here normally
if (!$trngSessID) {
echo "<meta http-equiv=\"refresh\" Content=\"0;URL=index.php\">";
exit;
}


How is that ever false if you're not defining it before?

$trngSessID is part of the GET string...not part of $_SESSION

This looks a bit suspicious to me:

case !$_POST:

I think $_POST will evaluate as "array", not as a 0/1 or True/False, so I'm not sure what would happen here. Perhaps try:

case !count($_POST):

?

$trngSessID is part of the GET string...not part of $_SESSION

is register globals on then? If that's the case you can't assume anything will work properly.

This looks a bit suspicious to me:

case !$_POST:



That part works, Nog. The statement appears to evaluate as True when there's been no form data sent yet. Problems don't start until a little further along.

Thanks!

is register globals on then? If that's the case you can't assume anything will work properly.

Ah!
I have no idea! How do I turn it on?
<sound of strBean logging on to php.net>

I added this to my .htaccess file in my root directory:

php_flag register_globals on

Still not working...

What type of server are you on? I am not 100% sure but i think that .htaccess does not work on windows, don't quote me on this.

What type of server are you on? I am not 100% sure but i think that .htaccess does not work on windows, don't quote me on this.
Unix FreeBSD

FYI, you should develop all code so it'll work with register_globals off, because that provides a large security hole for most things.

Okay. All of this is new to me.

Can you look at my code above and tell me if it should work with register_globals off, and if not, how I can store data for a DB insert at the end of the process, without assigning all the values to hidden form inputs and passing them in $_POST

you want register globals off, not on. with them on, $_SESSION['user'] and $_POST['user'] are both the var $user

It looks like it would if you fix that variable at the top which isn't defined. As for the rest of your script, you've got some large logic errors, like using an array before you've assigned it as the result of a mysql_query and such.

It looks like it would if you fix that variable at the top which isn't defined. As for the rest of your script, you've got some large logic errors, like using an array before you've assigned it as the result of a mysql_query and such.
Okay, I changed the first variable, which seemed like it was working already, but it still works after I changed it:
<?php
session_start();

// make sure they got here normally
if (!$_GET['trngSessID']) {
echo "<meta http-equiv=\"refresh\" Content=\"0;URL=index.php\">";
exit;
}
print '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Washington Workforce Association - Training Registration: '.$arrayTrngSess['SessionTitle'].'</title>
<meta name="description" content="">
<meta name="keywords" content="">
<meta name="author" content="Washington Workforce Association">
<meta name="generator" content="AceHTML 6 Pro">
<link rel="stylesheet" href="http://www.washingtonworkforce.org/styles/style.css" type="text/css">';
require("/usr/www/users/washing3/includes/embed_menu_style.inc");
// now open the db
$connx = connect_db("washing3_Training") or die("Unable to connect to database.");
// use the trngSessID to get display info
$qryTrngSess = mysql_query('SELECT tblSessions.* FROM tblSessions WHERE tblSessions.SessionID = '.$_GET['trngSessID'].';');
$arrayTrngSess = mysql_fetch_array($qryTrngSess, MYSQL_ASSOC);
// let's get the rest of the HTML header in there
// and the title and menu bars, etc...
print '</head><body bgcolor="#FFFFFF">';
if ($_COOKIE['view']=='public') {
require("/usr/www/users/washing3/includes/start_public_page.inc");
}
else {
require("/usr/www/users/washing3/includes/start_prof_page.inc");
}

print '<h2>'.$arrayTrngSess['SessionTitle'].'</h2>
<hr size="3" color="#0000B7">
<div class="floatrightcentered">
<a href="'.$arrayTrngSess['FlyerURL'].'" alt="Download event flyer" target="_blank"><b>Download Event Flyer</b></a>
<br><br><a href="'.$arrayTrngSess['MapquestURL'].'" alt="View map to training site" target="_blank"><b>View map to training site</b></a>
<br><br><a href="cancellation_policy.php" alt="Read cancellation policy" target="_blank"><b>Payment and cancellation policy</b></a>
</div>
<h3>A WWA sponsored training presented by</h3>
<h2>'.$arrayTrngSess['PresenterFName'].' '.$arrayTrngSess['PresenterLName'].'</h2>';

// everything after this is in functions called by this switch statement, depending on $_POST data
// the process in this control structure starts from the bottom up
switch (TRUE) {
case isset($_POST['cancel']):
cancel();
break;
case isset($_POST['confirm']):
confirm();
break;
case isset($_POST['update']):
update();
break;
case isset($_POST['edit']):
edit();
break;
case isset($_POST['finished']):
insert_partic_print_partic_form();
break;
case isset($_POST['add_another']):
insert_partic_print_partic_form();
break;
case isset($_POST['reg_org']):
insert_org_print_partic_form();
break;
case $_POST['theLoc']:
$_SESSION['LocationID'] = $_POST['theLoc'];
print_org_form(); // I know that if I see this form, the value assignment above it has been executed
break;
case !$_POST:
$_SESSION['trngSessID'] = $_GET['trngSessID'];
$_SESSION['SessionCost'] = $arrayTrngSess['SessionCost'];
print_intro_form();
break;
}
// debugging
if (isset($_POST['theLoc'])) {
print '<h3>$_POST["theLoc"] = '.$_POST['theLoc'].'</h3>';
}
else {
print '<h3>No $_POST!</h3>';
}
if (isset($_SESSION['LocationID'])) {
print '<h3>'.$_SESSION['LocationID'].'<br>'.$_SESSION['trngSessID'].'<br>'.$_SESSION['SessionCost'].'</h3>';
}
else {
print '<h3>No $_SESSION["LocationID"]!</h3>';
}
// **************************************************************************************************** **************

So anyway. If this is what you mean by "fix" that variable, it didn't change how the rest works.

Logic errors: I'm not surprised; I'm relatively new to PHP. But my queries are working. Specifically which one have I not assigned to an array before using the array?

Oops. Found it. It was where I was using a value in the page title, and I must have moved some code around. Thanks.

you want register globals off, not on. with them on, $_SESSION['user'] and $_POST['user'] are both the var $user
Thanks, chazzy. I misunderstood. I've got it turned off now, although it was probably already off by default.

Incidentally, I just installed PHP 5.1.1, because my host server had 4.3.10, and wasn't in a hurry to upgrade. That didn't fix it either.

after session_start, try adding:

print_r($_SESSION); and see what's displayed. that'll tell you if anything's getting set.

after session_start, try adding:

print_r($_SESSION); and see what's displayed. that'll tell you if anything's getting set.

It's getting set, and on the next iteration, it's getting erased.

$_SESSION should be available inside a function, correct? Both to read from and write to?

and on the next iteration, it's getting erased.
You have no iterations in which it may "get erased".

You aren't by any chance shifting between secure and non-secure pages in this sequence? If so, the session cookie does not transfer between them.

All http://, no https://