Is there a more efficient way to do this PHP code

Question

This code works and is fine, but I was wondering if there was an easier way to code something like this?

<?php
while($rows=mysql_fetch_array($result)){
$pid=$rows['id'];
$d = $rows['date'];
echo '<style>tr, td {border:0;} #dat{text-align:right;} #co {background-color:#33B533;}        </style>';
echo '<div id="postd">';
echo '<table id="mdata">';
echo '<tr>';
echo '<td>';
echo '<a href="profile.php?name=';
echo $rows['name'];
echo '">' . $rows["name"] . '</a>';
echo '</td>';
echo '<td id="dat">';
echo $result7 = nicetime($d);
echo '</td>';
echo '</tr>';
echo '<tr>';
echo '<td>';
echo $rows['post'];
echo '</td>';
echo '<td id="dat">';
echo '<form method="post" action="delete.php">';
echo '<input type="hidden" value="';
echo $rows['id'] . '" name="id" />';
echo '<input id="sub" type="submit" name="delete" value="Delete" />';
echo '</form>';
echo '<form method="post" action="edit.php">';
echo '<input type="hidden" value="';
echo $rows['id'] . '" name="id" />';
echo '<input id="sub" type="submit" name="edit" value="Edit" />';
echo '</form>';
echo '</td>';
echo '</tr>';
echo '<tr>';
echo '<td>';

$sql9 = "SELECT * FROM `like` WHERE postid='$pid' AND userid='$userid'";
$result9=mysql_query($sql9);

if($result9){
echo '<form method="post" action="like.php">';
echo '<input type="hidden" value="';
echo $rows['id'] . '" name="id" />';
echo '<input type="hidden" value="';
echo $userid . '" name="nid" />';
echo '<input id="sub" type="submit" name="like" value="Like" />';
echo '</form>';
}
echo '</td>';
echo '<td id="dat">';
if ($rows['like'] == 1) {
echo $rows['like'] . " Like";
} else if ($rows['like'] == 0) {
echo "";
} else {
echo $rows['like'] . " Likes";
}
echo '</td>';
echo '</tr>';
echo '</table>';
echo '</div>';

$sql2="SELECT * FROM comments WHERE postid='$pid' ORDER BY date ASC";
$result2=mysql_query($sql2);

while($rows2=mysql_fetch_array($result2)){
$c = $rows2['date'];
echo '<table id="co" border="1px solid black" width="250px" align="center">';
echo '<tr>';
echo '<td>';
echo $rows2['name'];
echo '</td>';
echo '<td id="dat">';
echo $result4 = nicetime($c);
echo '</td>';
echo '</tr>';
echo '<tr>';
echo '<td>';
echo $rows2['comment'];
echo '</td>';
echo '</tr>';
echo '</table>';
}

echo '<form action="addcomment.php" method="post">';
echo '<table id="co" border="1px solid black" width="250px" align="center">';
echo '<tr>';
echo '<td>';
echo '<textarea id="target" type="text" name="com" placeholder="Comment"></textarea>';
echo '</td>';
echo '<td>';
echo '<input type="submit" name="submit" value="Post">';
echo '</td>';
echo '</tr>';
echo '</table>';
echo '<input type="hidden" value="';
echo $rows['id'] . '" name="id" />';
echo '<input type="hidden" name="name" value="Jon" />';
echo '</form>';

echo '<br/>';


} 

?>

Basically I've created a Facebook type system. This spools the posts down in the order they are posted in the database. Check it out at http://bockhorst.comeze.com/Wall/wall.php Its still a work in progress. Also does anyone know a php compressor?

This question appears to be off-topic because it would be more appropriate for codereview.stackexchange.com — Barmar, Apr 09 '14 at 21:02
You are not required to echo all those tags separately. As a matter of fact, except for when you're actually using PHP code, you can write your HTML outside of the PHP tags without any echos at all. — Nicholas Flees, Apr 09 '14 at 21:02
A few links you'll want to look into before going too far. [**Use prepared statements**](http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php), or [**PDO**](http://php.net/pdo) *Plus*, [**CRYPT_BLOWFISH**](http://security.stackexchange.com/q/36471) or PHP 5.5's [`password_hash()`](http://www.php.net/manual/en/function.password-hash.php) function. — Funk Forty Niner, Apr 09 '14 at 21:04
**By building SQL statements with outside variables, you are leaving yourself open to SQL injection attacks.** Also, any input data with single quotes in it, like a name of "O'Malley", will blow up your SQL query. Please learn about using parametrized queries, preferably with the PDO module, to protect your web app. [This question](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has many examples in detail. You can also see http://bobby-tables.com/php for alternatives and explanation of the danger. — Andy Lester, Apr 09 '14 at 21:05
general tip: you do NOT need to use a million echoes like that. If you want to dump out multiple lines of text, either break out of PHP mode, or use a [HEREDOC](http://php.net/heredoc) — Marc B, Apr 09 '14 at 21:05
While you do not need to echo the tags separately as @nickflees points out it renders a minimized code which loads faster — petebolduc, Apr 09 '14 at 21:07
A simple XSS code has been injected to your site. Very vulnerable. — Rahil Wazir, Apr 09 '14 at 21:10
[**XSS Wiki**](http://en.wikipedia.org/wiki/Cross-site_scripting). Think of what JavaScript will do if its embedded to your webpage? — Rahil Wazir, Apr 09 '14 at 21:15

score 3 · Answer 1 · answered Apr 09 '14 at 21:03

The more efficient way to do this is to use a proper development framework that provides some structure and cohesion to your code. What you have here is a stew of SQL, HTML, and code. It's extremely hard to maintain an application written like this.

Additionally you're using the woefully out of date mysql_query interface. Please, don't. It's terrible. You really should be using an ORM to handle your routine database interfacing, something like Doctrine or Propel. These make it easier to compose the queries correctly and deal with the data instead of being stuck trying to render all your application logic directly in SQL.

If you're dead-set on doing SQL by hand, PDO is the way to go.

Is there a more efficient way to do this PHP code

1 Answers1