Displaying Friend Requests

Question

I have been working on making a social-network similar to facebook to use on my home server. However, i have come across a problem with displaying friend requests in the notifications tab of the user profile.

<?php
    //Check for notifications script
    $Request = "Requests";
    $Pending = "Pending";
    $nCheck = mysqli_query($Connect,"SELECT * FROM friends WHERE rTo = '$Uname' AND Status = '$Pending'");
    $nNum = mysqli_num_rows($nCheck);
    if($nNum != 0){
        if($nNum === 1){
            $Request = "Request";
        }
        else
        {
            $Request = "Requests";
        }
        echo"<p style=\"font-family: Tahoma; margin-left: 20px;\">You Have <b>$nNum</b> Friend $Request</p><hr />";
        while($row = mysqli_fetch_assoc($nCheck)){
            $dbFrom = $row['rFrom'];
            $dbId = $row['id'];
            $dbStatus = $row['Status'];
            for($i = 0; $i < 1; $i++){
                echo"<p style=\"font-family: Tahoma; margin-left: 20px;\">$dbFrom wants to be your friend <form action=\"\" method=\"POST\"><input type=\"submit\" name=\"A\" value=\"Accept\"></form> <form action=\"\" method=\"POST\"><input type=\"submit\" name=\"D\" value=\"Decline\"></form></p>";
            }
        }
    }
    else
    {
        echo "<p style=\"font-family: Tahoma; margin-left: 20px;\">You Have <b>0</b> Friend $Request</p>";
    }
    ?>

And then this is the form for the Accept / Decline:

<?php
    //Accept/Decline Friend Request Script
    $Accepted = @$_POST['A'];
    $Declined = @$_POST['D'];
    $A = "Accepted";
    $D = "Declined";
    if($Accepted){
        $addFriend = mysqli_query($Connect,"UPDATE friends SET Status = '$A' WHERE rTo = '$Uname' AND rFrom = '$dbFrom'");
        header("Location: Notification.php");
    }
    else if($Declined){
        $addFriend = mysqli_query($Connect,"UPDATE friends SET Status = '$D' WHERE rTo = '$Uname' AND rFrom = '$dbFrom'");
        header("Location: Notification.php");
    }
    ?>

The problem is that if more than one notification is present, the last notification will be the one that is accepted or declined. Please help, much appreciated.

score 2 · Answer 1 · edited May 23 '17 at 10:34

Make use of Prepared Statements. You are not secured against SQL Injections (More information: How can I prevent SQL injection in PHP?).
Don't use strings to set a status. Use a numeric value to define a status. That makes it a lot easier to handle.
Make use of single quotes ' to avoid having to escape all the double quotes " for HTML in your source code. There are alternative ways for string concatenation which are often recommended in coding guidelines.
Inline CSS formating is deprecated. Use an external CSS stylesheet instead.
Don't get the entire dataset from your database when you're not in need of the complete dataset. Always only fetch the data you require. Using * is not recommended. E.g. you are not in need of $row['Status'] and $row['id'] but still save it in a variable for no reason.
Don't use the @ operator. Validate your POST-data instead.
Your for-loop doesn't make any sense. It won't ever have more than one run-through.
To solve your current major problem, I would assign IDs to friend-requests in order to uniquely identify what friend-request the system is currently dealing with.
Also, don't use the usernames in queries but the userID. Otherwise, you will face issues in terms of the topic database normalization.
There is no need to use header() to return to your notifications.php. You can easily proceed with building the notifications.php-view after validating the POST-data and updating your friend-requests accordingly.

typesafe comparison may not be required, but it´s good to use it anyway. i agree about the rest though, so +1 from me :) — andyrandy, Jul 20 '14 at 21:16
@luschn: Agreed, also read about the typesafe comparison's better performance. Makes sense to me now, I will fix my answer. — chrisp, Jul 20 '14 at 21:58
Thanks for your feedback. Just so you can find some rationality behind my decisions, i don't worry about mysql-injections because its a home server. Also i retrieved the whole dataset so it would be easier for me to add different aspects to the request, it would keep me from going back and adding it. And lastly, I had the for-loop there for experimentation purposes. Thanks again — Mr.Java Jr., Jul 20 '14 at 22:16

score 1 · Answer 2 · answered Jul 20 '14 at 21:06

If both code sample exists in one file, that would explain your problem. You update your friends table:

$addFriend = mysqli_query($Connect,"UPDATE friends SET Status = '$A' WHERE rTo = '$Uname' AND rFrom = '$dbFrom'");

if the $dbFrom value comes from:

while($row = mysqli_fetch_assoc($nCheck)){
 $dbFrom = $row['rFrom'];

that means you just update the last row. I would suggest you to post your $dbForm too with those 2 forms.

PS: and start using PDO.

score 0 · Answer 3 · answered Jul 20 '14 at 21:01

also try using this

$A = "Accepted";
$D = "Declined";
if($Accepted){
    $addFriend = mysqli_query($Connect,"UPDATE friends SET Status = '$A' WHERE  id='$dbId' AND rFrom = '$dbFrom'");
    header("Location: Notification.php");
}
else if($Declined){
    $addFriend = mysqli_query($Connect,"UPDATE friends SET Status = '$D' WHERE  id='$dbId' AND rFrom = '$dbFrom'");
    header("Location: Notification.php");
}

Displaying Friend Requests

3 Answers3