Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

PHP Integrating PHP with Databases Using Relational Tables Preparing SQL Statements

Alex Flores
Alex Flores
7,864 Points
Posted by Alex Flores
Alex Flores
7,864 Points

Confused on _GET and _POST when querying data from PHP?

I have a file (settings.php) which has customer information on it. I'm pulling that customer information from the database using a function: 

function pull_customer_account($id, $table, $condition) {
    include("connection.php");
    try {
        $results = $db->query ("SELECT * FROM `$table` WHERE `$condition` = '$id'");
        $customer_account_info = $results->fetchall(PDO::FETCH_ASSOC);
        return $customer_account_info;

    } catch (Exception $e) {
        echo "Failed";
        exit; 
    }
}

function get_item_html($item) {
    $output = $item["media_id"];

    return $output;
}

This function is called as soon as the user arrives on the page (updating their information). Based on what Alena has said, I should sanitize my data every time the database is being queried, but how would I do that in this case when I don't use _GET or _POST?

Thanks

Ben Payne
Ben Payne
1,464 Points

If you are positive that the output will never be user data then you can skip sanitation if you want. However, I would highly recommend implementing automatic sanitation on output or using a template engine like twig or plates to do this.

Caleb Kleveter
Caleb Kleveter
Treehouse Moderator 37,862 Points
Caleb Kleveter
Caleb Kleveter
Treehouse Moderator 37,862 Points

Alex, I am sorry, but I am not very proficient in PHP so I won't be able to help you. Hope you find the answer to your problem!

Alex Flores
Alex Flores
7,864 Points
Alex Flores
Alex Flores
7,864 Points

@Ben Payne - I'm sorry, but could you explain what you mean by the output never being user data?

Seth Kroger
Seth Kroger
56,413 Points
Seth Kroger
Seth Kroger
56,413 Points

Meaning it never comes from or ever derived from data that comes in through a form or a URL. For instance, if the id is the id for the currently authenticated user, that's ok because it should be validated and have some security if you're using a decent authentication scheme/library. If the username or id is supplied though the URL or a form, then no.

Alex Flores
Alex Flores
7,864 Points
Alex Flores
Alex Flores
7,864 Points

Seth Kroger you phrased that very eloquently and teed me up perfectly for my next question. What other ways are there to request information from the database? I know there is both GET and POST which goes through the URL (right?). Then there's direct requests, right? Is that what they're called?