Welcome to the Treehouse Community

The Treehouse Community is a meeting place for developers, designers, and programmers of all backgrounds and skill levels to get support. Collaborate here on code errors or bugs that you need feedback on, or asking for an extra set of eyes on your latest project. Join thousands of Treehouse students and alumni in the community today. (Note: Only Treehouse students can comment or ask questions, but non-students are welcome to browse our conversations.)

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and a supportive community. Start your free trial today.

PHP

php mysql question

Im developing a site where a user can register, login, and create a list( in the users profile ). The list is like a grocery list that'll be added and deleted to. I have the register and log in part down, but I can't get the users entered data into the users list. I've tried INSERT INTO and that isn't working. I get an error of duplicate info. The closest ive gotten was with UPDATE but that just wipes the mock data I previously entered into the data base and doesnt display after entered. Any tips or has anyone done something similar?

4 Answers

Pascal Breitrück
PLUS
Pascal Breitrück
Courses Plus Student 3,205 Points

There are some topic’s you should learn to secure your application.

  1. SQL Injection
  2. XXS (Cross-Side-Scripting)
  3. CRSF (Cross-Side-Forgery) 4.Password Hashing 5.Session Hijacking ....... and so on.

Here some Resources

https://paragonie.com/blog/2017/12/2018-guide-building-secure-php-software

https://php.net/manual/en/security.php

https://phpsecurity.readthedocs.io/en

If you are understanding OOP, look for Doctrine 2 that‘s an ORM for database communication . You will love it 😊.

Greets Pascal

Pascal Breitrück
PLUS
Pascal Breitrück
Courses Plus Student 3,205 Points

Please upload your Code on Github to see where the issue is .

Greets Pascal

I think i know where the issue is and maybe you can help me. Ive hardly worked with php, i mainly stick to front end development(html, css, javascript) , but the users 'list' in the table data isnt an array. Whats the best method for making an array with mysql. ive heard JSON and/or structuring the table differently then i have it. Right now the data table consist of a username, a email, and a list. I can post the code to github but it'll take a second and im pretty sure you'll say something about the 'list' So ill try to save us both some time.

here is the php code for the form post in the users profile. Ive replaced the header with a successful message and i get it but nothing happens. No data goes to the database. It actually clears the data ive enter before running this file and nothing replaces it.

$list = filter_input(INPUT_POST, 'list');

$user = $_SESSION['uname'];
// Create connection
$conn = mysqli_connect($host, $dbusername, $dbpassword, $dbname);
// Check connection
if (!$conn) {
    die("Connection failed: " . mysqli_connect_error());
}

$sql = "UPDATE `users` SET `list` = '$list' WHERE `users`.`username` = '$user'";

if (mysqli_query($conn, $sql)) {
  header('Location: profile.php');

} else {
    echo "Error: " . $sql . "<br>" . mysqli_error($conn);
}

mysqli_close($conn);
Pascal Breitrück
PLUS
Pascal Breitrück
Courses Plus Student 3,205 Points

Hey,

I tried the script with two string's

$list = "input pascal";
$user = "pascal";

// Create connection
$conn = mysqli_connect("127.0.0.1", "root", "", "users");
// Check connection
if (!$conn) {
    die("Connection failed: " . mysqli_connect_error());
}

$sql = "UPDATE `users` SET `list` = '$list' WHERE `username` = '$user'";

if (mysqli_query($conn, $sql)) {
    header('Location: profile.php');

} else {
    echo "Error: " . $sql . "<br>" . mysqli_error($conn);
}

mysqli_close($conn);

after the WHERE i delete the users

The UPDATE was working.

But you should use PDO and prepared statements to prevent SQL Injection, arrays in the Database the type DC2JSON will work fine .

Greets Pascal

Yes, thank you for your help. I figured out on the form input attr "name" (on the profile page), it had single quotes, it needed dub quotes. You made me think of it when you said you used dub strings on the $list and $user variable.

Could you point out some literature or something so i can reconfigure my code to prevent sql injections. i'm building and designing this thing by myself for personal use, so I have a list bigger then my arm of bugs to fix : ) whats one more lol