0

I have a php based webpage. This pulls product order history as so:

$sql = "SELECT * FROM products WHERE userid=$userid ";
            $result = mysqli_query($conn, $sql);
            if (mysqli_num_rows($result) > 0){
                while ($row = mysqli_fetch_assoc($result)){
                    $product_name = $row["product_name"];
                    $order_id = $row["order_id"];

                }}

If a user wants to select to view more information on the order I use a form as such: (which gets the product_id so I can pass it on the next page then use it to call data from the sql database)

<input type='hidden' name='order_id' >

This means that the url displayed is www.mywebsite.com/order (opens order.php which has the code above). It is not specific to the product/order. I see all websites have something like www.website.com/myorders/order1A2312

- Do I need it to make a new webpage each time? Because everytime someone presses back it will display an error as nothing is pushed during the button press.

Short Question: Is it good practice to rely on a single php page to call data? Or shall I make it specific to a user and order.

joe m
  • 85
  • 4
  • 14
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – mega6382 Oct 25 '17 at 05:53
  • I think you should look into routers. That way you can map URLs and URL-patterns to specific handlers/controllers. You might want to check out some framework as well that most likely already have all that. Alternatively, use a query string: `/myorders?order=1234` and then just get the order ID on your page with: `$orderId = $_GET['order']`. – M. Eriksson Oct 25 '17 at 05:58
  • IMHO, connecting to a database like this is boilerplate you should not be writing in most of the cases. A lot of PHP Frameworks and CMS will solve this issue for you with ease, leaving you time to code the business logic of your app – versvs Oct 25 '17 at 06:02
  • 1
    @versvs In all fairness, I do believe that all developers should build some applications using native PHP at some point. If not, you won't really know the language, but rather just the tools (framework/CMS). My motto is, learn the language first, _then_ make it easier using tools. Understanding the basics makes it easier to choose the write tool as well. – M. Eriksson Oct 25 '17 at 06:11
  • Yes. You don't necessarily need a framework to create a secure and user friendly system. It's actually better to write native php and learn that way. Just as @MagnusEriksson said – Rotimi Oct 25 '17 at 06:14
  • @MagnusEriksson which framework would you suggest? Thanks for the help – joe m Oct 25 '17 at 06:20
  • @versvs didnt know there was somthing that does this for me. Can you recommend a framework for this ? – joe m Oct 25 '17 at 06:21
  • 1
    I would suggest that you write down your requirements and use google to find some that fits you. Suggesting software/tools/libraries etc is actually off-topic for SO (since it's primarily opinion based). – M. Eriksson Oct 25 '17 at 06:21

0 Answers0