PHP Mysql select is only showing one row -
i trying make page of tv series. somehow page shows 1 row seasons
, 5 in database.
$sql = "select * `shows` url='".dburl($_get["url"])."'"; $result = $conn->query($sql); if ($result->num_rows > 0) { while($row = $result->fetch_assoc()) { // general info tv show here $sql = "select * seasons `show`='".$row["id"]."' order number asc"; $result = $conn->query($sql); if ($result->num_rows > 0) { while($seasons = $result->fetch_assoc()) { // seasons $sql= "select * episodes `show`='".$row["id"]."' , `season`='".$seasons["number"]."' order number desc"; $result = $conn->query($sql); if ($result->num_rows > 0) { while($episodes = $result->fetch_assoc()) { // episodes, sorted season } } } } } }
is there change overlooked something? episodes
part works fine, shows episodes in season.
i suggest data in 1 mysql query, use proper variable escaping , code simpler , more readable 1 got. maybe gonna make fewer mistakes having better coding:
$mysqli = new mysqli("localhost", "my_user", "my_password", "my_db"); /* check connection */ if (mysqli_connect_errno()) { printf("connect failed: %s\n", mysqli_connect_error()); exit(); } $sql = "select * `shows` sh join `seasons` se.show on sh.id join `episodes` e on e.show = se.id , e.season = e.number url=? order se.number, e.number"; /* prepare statement */ $stmt = $conn->prepare($sql); if($stmt === false) { trigger_error('wrong sql: ' . $sql . ' error: ' . $conn->errno . ' ' .$conn->error, e_user_error); } /* bind parameters. types: s = string, = integer, d = double, b = blob */ $stmt->bind_param('s', dburl($_get["url"])); /* execute statement */ $stmt->execute(); /* fetch result array */ $res = $stmt->get_result(); while($row = $res->fetch_array(mysqli_assoc)) { array_push($a_data, $row); } /* close statement */ $stmt->close(); } /* close connection */ $mysqli->close();
justification or explanation:
never concatenate or interpolate data in sql
never build string of sql includes user data, either concatenation:
$sql = "select * users username = '" . $username . "';";
or interpolation, same:
$sql = "select * users username = '$username';";
if '$username' has come untrusted source (and must assume has, since cannot see in source code), contain characters such ' allow attacker execute different queries 1 intended, including deleting entire database etc. using prepared statements , bound parameters better solution. php's mysqli , pdo functionality includes feature (see below).
from owasp: php security sheet
Comments
Post a Comment