PHP Mysql select is only showing one row -


i trying make page of tv series. somehow page shows 1 row seasons, 5 in database.

$sql = "select * `shows` url='".dburl($_get["url"])."'"; $result = $conn->query($sql);  if ($result->num_rows > 0) {     while($row = $result->fetch_assoc()) {      // general info tv show here          $sql = "select * seasons `show`='".$row["id"]."' order number asc";         $result = $conn->query($sql);          if ($result->num_rows > 0) {             while($seasons = $result->fetch_assoc()) {              // seasons                  $sql= "select * episodes `show`='".$row["id"]."' , `season`='".$seasons["number"]."' order number desc";                 $result = $conn->query($sql);                  if ($result->num_rows > 0) {                     while($episodes = $result->fetch_assoc()) {                          // episodes, sorted season                      }                 }              }         }      } } 

is there change overlooked something? episodes part works fine, shows episodes in season.

i suggest data in 1 mysql query, use proper variable escaping , code simpler , more readable 1 got. maybe gonna make fewer mistakes having better coding:

$mysqli = new mysqli("localhost", "my_user", "my_password", "my_db");  /* check connection */ if (mysqli_connect_errno()) {     printf("connect failed: %s\n", mysqli_connect_error());     exit(); }    $sql = "select * `shows` sh          join `seasons` se.show on sh.id          join `episodes` e on e.show = se.id , e.season = e.number          url=?          order se.number, e.number";    /* prepare statement */   $stmt = $conn->prepare($sql);   if($stmt === false) {     trigger_error('wrong sql: ' . $sql . ' error: ' . $conn->errno . ' ' .$conn->error, e_user_error);   }     /* bind parameters. types: s = string, = integer, d = double,  b = blob */    $stmt->bind_param('s', dburl($_get["url"]));    /* execute statement */   $stmt->execute();    /* fetch result array */   $res = $stmt->get_result();   while($row = $res->fetch_array(mysqli_assoc)) {      array_push($a_data, $row);   }    /* close statement */   $stmt->close(); }  /* close connection */ $mysqli->close(); 

justification or explanation:

never concatenate or interpolate data in sql

never build string of sql includes user data, either concatenation:

$sql = "select * users username = '" . $username . "';";

or interpolation, same:

$sql = "select * users username = '$username';";

if '$username' has come untrusted source (and must assume has, since cannot see in source code), contain characters such ' allow attacker execute different queries 1 intended, including deleting entire database etc. using prepared statements , bound parameters better solution. php's mysqli , pdo functionality includes feature (see below).

from owasp: php security sheet


Comments

Popular posts from this blog

qt - Using float or double for own QML classes -

Create Outlook appointment via C# .Net -

ios - Swift Array Resetting Itself -