0

i am having issue with inner join. in phpmyadmin i have 3 tables: 1 - proyects 2 - users 3 - proyects-users (relation table)

i am sending to php an idproyects i want to list all available users on that proyect So...

try{
    $conn = new PDO("mysql:host=$servername;dbname=$dbname", $dbuser, $dbpassword);
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    $stmt = $conn->prepare("SELECT * FROM users u INNER JOIN proyects-users pu on pu.id = u.id  WHERE pu.idproyect='$justavariable'");
    $stmt->execute();
    $result = $stmt->fetchAll();
 }
Utai Silva
  • 31
  • 5
  • What is the result you are getting now – Akhilesh Jha May 24 '17 at 06:33
  • 2
    Your script is at risk of [SQL Injection Attack](https://stackoverflow.com/q/60174/5914775). Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/). Just preparing your SQL query is not enough! You should also [parameterise](https://secure.php.net/manual/en/pdo.prepare.php#90209) your query. – Tom Udding May 24 '17 at 06:35
  • 1
    @TomUdding poor Bobby Tables, he gets blamed for so much, his working life must be horrific. I guess that's why he went off and invented **Tor** – Martin May 24 '17 at 06:39

1 Answers1

1

You should be using parameters as indicated by other comments - but also you should avoid using '-' in any names in the database. So proyects-users would usually be proyects_users.
You could put quotes `proyects-users` around the name, but it's just not standard or convention to use '-' in any names.

You should also be checking that anything you do actually works, as any execute could fail for all sorts of reasons, so usualy

if ($stmt->execute())    {
    $result = $stmt->fetchAll()
}
Nigel Ren
  • 56,122
  • 11
  • 43
  • 55
  • Thanks @NigelRen really helped me out I had some sql errors, don't exactly remember which one. But now it works thanks. – Utai Silva May 25 '17 at 07:12