Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trialMatthew Garza
26,312 Pointsphp mysql question
Im developing a site where a user can register, login, and create a list( in the users profile ). The list is like a grocery list that'll be added and deleted to. I have the register and log in part down, but I can't get the users entered data into the users list. I've tried INSERT INTO and that isn't working. I get an error of duplicate info. The closest ive gotten was with UPDATE but that just wipes the mock data I previously entered into the data base and doesnt display after entered. Any tips or has anyone done something similar?
4 Answers
Pascal Breitrück
Courses Plus Student 3,206 PointsThere are some topic’s you should learn to secure your application.
- SQL Injection
- XXS (Cross-Side-Scripting)
- CRSF (Cross-Side-Forgery) 4.Password Hashing 5.Session Hijacking ....... and so on.
Here some Resources
https://paragonie.com/blog/2017/12/2018-guide-building-secure-php-software
https://php.net/manual/en/security.php
https://phpsecurity.readthedocs.io/en
If you are understanding OOP, look for Doctrine 2 that‘s an ORM for database communication . You will love it 😊.
Greets Pascal
Pascal Breitrück
Courses Plus Student 3,206 PointsPlease upload your Code on Github to see where the issue is .
Greets Pascal
Matthew Garza
26,312 PointsI think i know where the issue is and maybe you can help me. Ive hardly worked with php, i mainly stick to front end development(html, css, javascript) , but the users 'list' in the table data isnt an array. Whats the best method for making an array with mysql. ive heard JSON and/or structuring the table differently then i have it. Right now the data table consist of a username, a email, and a list. I can post the code to github but it'll take a second and im pretty sure you'll say something about the 'list' So ill try to save us both some time.
here is the php code for the form post in the users profile. Ive replaced the header with a successful message and i get it but nothing happens. No data goes to the database. It actually clears the data ive enter before running this file and nothing replaces it.
$list = filter_input(INPUT_POST, 'list');
$user = $_SESSION['uname'];
// Create connection
$conn = mysqli_connect($host, $dbusername, $dbpassword, $dbname);
// Check connection
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}
$sql = "UPDATE `users` SET `list` = '$list' WHERE `users`.`username` = '$user'";
if (mysqli_query($conn, $sql)) {
header('Location: profile.php');
} else {
echo "Error: " . $sql . "<br>" . mysqli_error($conn);
}
mysqli_close($conn);
Pascal Breitrück
Courses Plus Student 3,206 PointsHey,
I tried the script with two string's
$list = "input pascal";
$user = "pascal";
// Create connection
$conn = mysqli_connect("127.0.0.1", "root", "", "users");
// Check connection
if (!$conn) {
die("Connection failed: " . mysqli_connect_error());
}
$sql = "UPDATE `users` SET `list` = '$list' WHERE `username` = '$user'";
if (mysqli_query($conn, $sql)) {
header('Location: profile.php');
} else {
echo "Error: " . $sql . "<br>" . mysqli_error($conn);
}
mysqli_close($conn);
after the WHERE i delete the users
The UPDATE was working.
But you should use PDO and prepared statements to prevent SQL Injection, arrays in the Database the type DC2JSON will work fine .
Greets Pascal
Matthew Garza
26,312 PointsYes, thank you for your help. I figured out on the form input attr "name" (on the profile page), it had single quotes, it needed dub quotes. You made me think of it when you said you used dub strings on the $list and $user variable.
Could you point out some literature or something so i can reconfigure my code to prevent sql injections. i'm building and designing this thing by myself for personal use, so I have a list bigger then my arm of bugs to fix : ) whats one more lol