1

I'm implementing a friends list system on my site, and I've gotten it to display friends names that have accepted(therefore accepted has a value of 1), and when I visit dummy accounts i can see their friends, but when I am logged in as a dummy account i can see either, I even manually changed the user_id in the database to "1" and then logged out and in and discovered it's only working with a user_id of 1, here is the code. Also it's not MYSQLI yet, that's my next step.

<h1>Friends</h1>

<?php
$user_id = user_id_from_username($username);
if($_SESSION['user_id'] == $user_id){
    $logged_user_id = $_SESSION['user_id'];

    $result = mysql_query("SELECT * FROM `friends` WHERE `friend_id`='{$logged_user_id}' AND `user_id`!='{$logged_user_id}' AND `accepted`='1'");
    while ($row = mysql_fetch_array($result)){  
        $friend_id = $row['user_id'];

        /*Get friend details*/
        $fetch_details = mysql_fetch_object(mysql_query("SELECT * FROM `users` WHERE `user_id`='{$friend_id}'"));

        echo $fetch_details->username;
        echo '<br/>';
    }
} 
else if($_SESSION['user_id'] != $user_id){
    $user_id = user_id_from_username($username);
    $logged_user_id = $user_id;

    $result = mysql_query("SELECT * FROM `friends` WHERE `user_id`='{$logged_user_id}' AND `friend_id`!='{$logged_user_id}' AND `accepted`='1'");
    while ($row = mysql_fetch_array($result)){  
        $friend_id = $row['friend_id'];

        /*Get friend details*/
        $fetch_details = mysql_fetch_object(mysql_query("SELECT * FROM `users` WHERE `user_id`='{$friend_id}'"));

        echo $fetch_details->username;
        echo '<br/>';
    }
}
?>

TABLES

FRIENDS
id(AI)
user_id
friends_id
datemade
accepted(enum 0, 1)

USERS
user_id(AI)
username
profile
active
user2571547
  • 87
  • 1
  • 1
  • 9
  • while waiting for a real answer to your question, you should read http://stackoverflow.com/q/12859942/2536029 – mnagel Jul 31 '13 at 12:27
  • I don't know if it could be the problem, but is the field `accepted` an `integer` or a `string`? If `int` try to remove the quote – Razorphyn Jul 31 '13 at 12:31
  • @Dheed MySQL autoconverts the value to `int` once it sees the data type of the field on the left side of the `=` – ಠ_ಠ Jul 31 '13 at 12:36
  • @ಠ_ಠ Thanks, I didn't know it! – Razorphyn Jul 31 '13 at 12:37
  • accepted is enum, 0 or 1 – user2571547 Jul 31 '13 at 12:38
  • "Also it's not MYSQLI yet, that's my next step" Why waste the time to code it using outdated and potentially insecure methods and then "hopefully" get round to changing it later when you could just do it right the first time? Besides you are much better off using something like PDO or a DB abstraction layer which gives you much more flexibility in future without having to change every single query dotted all over the code base – Anigel Jul 31 '13 at 12:46
  • Post your table structure with some data – Sherin Jose Jul 31 '13 at 12:47
  • Anigel, I am learning php/mysql from scratch, there are currently alot more mysql tutorials and information than mysqli, i figured learn how to walk then learn to run. I'll add table structures in OP. – user2571547 Jul 31 '13 at 12:54

2 Answers2

1

In your first SQL query you use the same variable twice to filter:

`friend_id`='{$logged_user_id}' AND `user_id`!='{$logged_user_id}'

This will probably not give you the expected results.

You could add print_r($row) to check if you get the expected results from your database to make sure your queries do as you want them to.

Bjorn 'Bjeaurn' S
  • 3,861
  • 2
  • 18
  • 29
0

It's better to use one query instead of queries in loop.

You can write:

SELECT f.*, u.* FROM `friends` f LEFT JOIN `users` u ON (u.user_id = f.friend_id) WHERE f.`user_id`='{$logged_user_id}' AND f.`friend_id`!='{$logged_user_id}' AND f.`accepted`='1'"

Also skip if($_SESSION['user_id'] != $user_id), it'll be always true if session var wasn't equal to $user_id. Less code, less bugs.

Edit: From where are you getting $username?

Elon Than
  • 9,603
  • 4
  • 27
  • 37
  • username is in the users table, i updated my OP and listed table structure. – user2571547 Jul 31 '13 at 12:56
  • @user2571547 I mean `$username` variable used in `user_id_from_username($username)`. I don't see any declaration of it. – Elon Than Jul 31 '13 at 13:01
  • oh my mistake, it's in a functions include file... function user_id_from_username($username) { $username = sanitize($username); – user2571547 Jul 31 '13 at 13:04
  • @user2571547 Ok, we're closer :) I was talking about `$username` that you're passing to this function (not used inside this function). In 4th line of code that you posted here. – Elon Than Jul 31 '13 at 13:29