-2

I try print the value of the database's row in input field, but I failed. The code runs, and nothing error is displayed.

How can I show the datas in the input values?

Class file

public function getDatas($field, $id) {
    if ($result = $this->db->query("SELECT $field FROM user WHERE id = $id")) {
        if ($result->num_rows) {
            while ($string = $result->fetch_assoc()){
                               $value = $string[$field];
                            }
            return $value;
        }
        $result->free();
    }
}

html

<?php
  $user = new User;

?>

<input class="form-control" type="text" id="name" name="name" value="<?php echo $user->getDatas('name', $_SESSION['id']);?>" required autocomplete="off">

<?php unset($user);?>
AlexDoria
  • 15
  • 1
  • 1
  • 5
  • I'm really not sure what you're asking... the title and the body are very different. Is there a problem with the code? Or are you asking for solutions? – hichris123 Feb 12 '14 at 22:32
  • Other than this is a potential SQL injection problem, try adding quotes around $id, so ...WHERE id = \"$id\" – SyntaxLAMP Feb 12 '14 at 22:35
  • What is wrong in my code? I need solutions, man ): – AlexDoria Feb 12 '14 at 22:36
  • 1
    **By building SQL statements with outside variables, you are leaving yourself open to SQL injection attacks.** Also, any input data with single quotes in it, like a name of "O'Malley", will blow up your SQL query. Please learn about using parametrized queries, preferably with the PDO module, to protect your web app. My site http://bobby-tables.com/php has examples to get you started, and [this question](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has many examples in detail. – Andy Lester Feb 12 '14 at 22:40
  • @Andy Lester: "By building SQL statements with outside variables, you are leaving yourself open to SQL injection attacks" --- you're overdramatizing and confusing newbies. It's just *not correct* to say that using some data from outside leads to sql injections. – zerkms Feb 12 '14 at 22:42
  • @AlexDoria: Btw, what is `$valor->free()` – zerkms Feb 12 '14 at 22:53
  • You can use data from the outside. You just don't build SQL statements with it. – Andy Lester Feb 12 '14 at 23:08
  • @Andy Lester: "You just don't build SQL statements with it" --- there is nothing wrong with it. `id = ' . (int)$id` - the `$id` comes from outside and there is no issues with this usage. PS: I don't even mention that you need to escape **ALL** strings, not only ones that come from outsude. Your site is useful indeed, but you're spreading something weird misunderstandings here in the comments. – zerkms Feb 12 '14 at 23:12
  • @AlexDoria: it is still strange. **WHY** do you run `free()` there? – zerkms Feb 12 '14 at 23:15
  • For free the memory associated with a result after check if $result exists, @zerkms. Are you think that it's wrong, why? – AlexDoria Feb 13 '14 at 03:29
  • @AlexDoria: `if ($result->num_rows) {` is true - it's not invoked. – zerkms Feb 13 '14 at 03:32

1 Answers1

0

In your code, you're retrieving the name but you're not saving it. You need to put it in a variable and then use that variable.

<?php
  $nameUser = new User;
  $name = $nameUser->getDatas('name', $_SESSION['id']);
?>

Then, in your HTML, use $name.

Anid Monsur
  • 4,538
  • 1
  • 17
  • 24
  • When I just print the variable without checking if the variable is set, then this error appears: Catchable fatal error: Object of class Usuario could not be converted to string – AlexDoria Feb 12 '14 at 22:56
  • You can add a call to `isset()` in there if needed. As I said in the answer though, I think the main issue is that your call to `getDatas()` was returning a string, but you were not storing it. – Anid Monsur Feb 12 '14 at 22:58
  • When I tried using this way you advised me to getDatas () function returns the parameter own "name" and not its "content" within the table. – AlexDoria Feb 21 '14 at 02:19
  • I found the bug! I needed to put apostrophe in the select sql ```$field`` – AlexDoria Feb 21 '14 at 14:30