0

I am trying to select data from a database, dependent on the user and echo it in the html code, but for some reason it won't capture the data.. please see code below:

<?php

$loginuser = $_GET['uid'];

$check = mysql_query("select * from users where username='$loginuser'");
   while($row = mysql_fetch_array($check)){

  $result = $row['email'];
  $result = $row['firstname'];

 }

 ?>

<html>

<head>
    <title> SIAA Dashboard </title>
</head>

<body>
    <h1> User Dashboard </h1>
    <p> You should only see this screen if you are a registered user. </p>
    <?php
    echo "Your username is: " . $loginuser . "<br><br>";
    echo "Your first name is: " . $result=$row['firstname'] . " ";
    ?>


</body>

</html>

If someone could tell me what I'm doing wrong, it will be much appreciated!

Thanks

Sohail.

Sohail Arif
  • 86
  • 1
  • 10
  • 3
    [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Nov 03 '15 at 14:18
  • 1
    You need to establish a connect to mysql. Using mysql_* commands is a bad idea. Please use PDO or MySQLi – Fluinc Nov 03 '15 at 14:18
  • 1
    If you can, you should [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really not hard](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Nov 03 '15 at 14:18
  • You really should not be writing code that relies on `mysql_` functions anymore. The MySQL extension has been deprecated for years and is about to be dropped in the upcoming PHP7 release later this year. Also see [Why shouldn't I use mysql_* functions in PHP?](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). On an up-to-date server, this code has a life span of about 2 months. Try PDO, which should also fix the SQL injection problem you seem to have. – Oldskool Nov 03 '15 at 14:18
  • @JayBlanchard I know it is, I can deal with that later.. this is just a test script and I'll look into it. – Sohail Arif Nov 03 '15 at 14:19

4 Answers4

2

Besides that your code is prone to SQL injection as you do not sanitze the $__GET Parameter 'uid' before inserting it in the query and you are using the deprecated mysql extension, your problem is the line

    echo "Your first name is: " . $result=$row['firstname'] . " ";

which should read

    echo "Your first name is: " . $row['firstname'];

Additionally, you did not establish a connection to the database.

dev0
  • 1,057
  • 8
  • 22
  • Why is everyone attacking me for using an older version of PHP, I'm only testing stuff out to revise my memory. And your answer did not work. – Sohail Arif Nov 03 '15 at 14:22
  • As I said, you did not establish a database connection. – dev0 Nov 03 '15 at 14:34
2

A few notes:

  • Don't use mysql_... functions: they're deprecated. See the documentation
  • Check whether the input is supplied using isset: if uid is missing from $_GET the visitor will see a PHP warning.
  • Escape/sanitize user input! If anyone requests your php file with ?uid='; drop table users;-- you're going to have a problem!
  • If you expect 0 or 1 results, don't use a while loop
  • Better not use constructs like echo "foo" . $bar = $baz . "something";: it's unclear.

And a suggestion on how to structure your page: 

<html>    
  <head>
    <title> SIAA Dashboard </title>
  </head>    
  <body>

<?php    
  $loginuser = isset( $_GET['uid'] ) ? $_GET['uid'] : null;

  if ( empty( $loginuser ) )
  {
     echo "Missing parameter!"; 
  }
  else
  {
    $check = mysql_query("select * from users where username='"
    . mysql_real_escape_string( $loginuser ) . "'" );
    if ( $row = mysql_fetch_array($check) )
    {
?>
      <h1> User Dashboard </h1>
      <p> You should only see this screen if you are a registered user. </p>
      Your username is: <?php echo $loginuser; ?>
      <br><br>
      Your first name is: <?php echo $row['firstname']; ?>
<?php
    }
    else
    {
      echo "Unknown user!";
    }
  }
?>
  </body>
</html>
Kenney
  • 9,003
  • 15
  • 21
0

First do not use mysql_* functions and you need to create a mysql connection. This is still as risk for injection but should work.

<?php
$servername = "localhost";
$username = "username";
$password = "password";
$dbname = "myDB";

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

$loginuser = $conn->real_escape_string($_GET['uid']);

$sql = "SELECT * FROM `users` WHERE `username` = '$loginuser'";
$result = $conn->query($sql);

if ($result->num_rows > 0) {
    $data = $result->fetch_assoc();
}
$conn->close();
?> 
<html>

<head>
    <title> SIAA Dashboard </title>
</head>

<body>
    <h1> User Dashboard </h1>
    <p> You should only see this screen if you are a registered user. </p>
    <?php
    echo "Your username is: " . $loginuser . "<br><br>";
    echo "Your first name is: " . $data['firstname'] . " ";
    ?>


</body>

</html>
Fluinc
  • 491
  • 2
  • 10
0
/*
 * Best to start using PDO for db, If i was you i would rewrite your entire db script and stay away from mysql.
 * 
 */

$id = $_GET['uid'];
try {
    $conn = new PDO('mysql:host=localhost;dbname=myDatabase', $DBusername, $DBpassword);
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);    

    $stmt = $conn->prepare('SELECT * FROM users where username= :id');
    $stmt->execute(array('id' => $id));

    $result = $stmt->fetchAll();

    if ( count($result) ) { 
        foreach($result as $row) {
        print_r($row); // $row  will give you access for your variables.
    }   
    } else {
        echo "No rows returned.";
    }
} catch(PDOException $e) {
    echo 'ERROR: ' . $e->getMessage();
}

 ?>

<html>

<head>
    <title> SIAA Dashboard </title>
</head>

<body>
    <h1> User Dashboard </h1>
    <p> You should only see this screen if you are a registered user. </p>
    <?php
    echo "Your username is: " . $loginuser . "<br><br>";
    echo "Your first name is: " . $result=$row['firstname'] . " ";
    ?>


</body>

</html>
Noob
  • 154
  • 1
  • 1
  • 14