0

I am trying to show all of the users from the database.And adding tabledate of each user so i think i have sytnax problem with my html code in php variable.


include('connection.php');
session_start();

$userId=$_SESSION['userId'];
$sql="SELECT* FROM user WHERE user_id !='$userId'";

$query=mysqli_query($conn,$sql);


$output ='<table class ="table table-bordered table-striped">
    <tr>
        <td>Username</td>
        <td>Status</td>
        <td>Status</td>
    </tr>
    ';

while($result=mysqli_fetch_assoc($query)) // THIS LOOP IS WORKING FINE BUT WHEN I TRY TO ADD TABLE COLUMS I GOT ERROR
{

    $output .= '
    <tr>
        <td>'.$result['user_name'].'</td>
        <td>/<td>
        <td><button type="button" class="btn btn-info btn-xs start_chat" data-touserid=" '$result['user_name']' ">Start Chat</button></td>
    </tr>
    ';

}

$output .= '</table>';
echo $output;


?>
Improve this question
4
  • What's the error message you are getting? Commented May 6, 2019 at 19:50
  • fetch_user.php:1 Failed to load resource: the server responded with a status of 500 (Internal Server Error) Commented May 6, 2019 at 19:51
  • Furkan that's what your browser says because the error is not sent to the browser due to security issues. You will need to make sure that error logging is enabled and you check the error logs on your server to find out what the problem is. Commented May 6, 2019 at 19:57
  • You are missing a proper string concatenation at "data-touserid=" Commented May 6, 2019 at 19:58

1 Answer 1

Reset to default
1

There's a big problem with this code.

Creating a SQL Query with a string is very dangerous. You're creating an injection vulnerability with that UserID session parameter. You're using MySQLi, which supports paramaterized queries, that will solve your injection problem.

You've also typo'd your second bit of string concatenation, and you close your table tag but never open it up.

Try this out instead:

session_start();


$sql=$conn->prepare("SELECT * FROM user WHERE user_id != ?");
$sql->bind_param("i", $userId);

$userId=$_SESSION['userId'];

$output .= '<table>'

while($row = $result->fetch_assoc())
{
$output .= '
    <tr>
        <td>'.$row['user_name'].'</td>
        <td>/<td>
        <td><button type="button" class="btn btn-info btn-xs start_chat" data-touserid="'.$row['user_name'].'">Start Chat</button></td>
    </tr>
    ';  
}

$output .= '</table>';
echo $output;


?>

This will use a prepared statement to prevent SQL injection, and return the results into an associative array that you can search just the same as your earlier query. I suggest reading the entire website beaver article on the subject, it will educate you very well on what you are trying to do.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you so much for give this important SQL injection informations. I will try to write my codes according to this informations. Thank you so much.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.