0

I am trying to get some comments from the db.I have created a counter that is set to 2 

var limit=2;

Once the user clicked it then comment count is set to 4 and second time counter value 6 .....etc

The problem is that when I click the button first time then 6 record are displaying instead of 4

$(document).ready(function(){
        var limit=2;
        $(document).on('click','.more',function(){
            limit=limit+2;
            $('#comments').load("loadComments.php",{
                limit:limit
            });
        });
    });

this is loadComment.php

 $limit=$_POST["limit"];
        $sql = "SELECT * FROM comments order by id desc limit  $limit ";
dhilt
  • 18,707
  • 8
  • 70
  • 85
abuzer kadayıf
  • 37
  • 6
  • use ajax to post – Niklesh Raut Aug 17 '18 at 16:26
  • 2
    You code is vulnearable to SQL injection attack. You should use prepared statements. But, at least, use `$limit = (int)$_POST["limit"];` – Felippe Duarte Aug 17 '18 at 16:30
  • I am very new to programming thank you for suggestion – abuzer kadayıf Aug 17 '18 at 16:35
  • can you perform some logging and check what limit value is sent to the server? Either console.log on javascript side or just a normal echo in php in somekind of special div. Alternatively, you can do both and see if what jQuery sends is received by PHP – kks21199 Aug 17 '18 at 16:53
  • You should also format your SQL codes so it is easy to read plus nothing is executed wrongly by mysql, and prevent SQL injection by escaping the values as others have pointed out. Your mysql code should look like this, `"SELECT * FROM \`comments\` ORDER BY \`id\` desc LIMIT $limit"` – kks21199 Aug 17 '18 at 16:56

1 Answers1

2

Your very close

$(document).ready(function(){
    var limit=2;
    $(document).on('click','.more',function(){
        limit=limit+2;
        $('#comments').load("loadComments.php?limit="+limit);
    });
});

$limit = (int)$_GET["limit"];
//$limit = intval($_GET["limit"]); //if you like functions better they are basically the same.
$sql = "SELECT * FROM comments order by id desc limit $limit";

First off load is $_GET request, so you can pass limit via the query string in the URL.

Then, cast the limit to an int. A lot of prepared statements cant really handle the limit or order by clause very well. Not to mention I have no Idea what DB or library you are using. But casting it should take care of most of the issues.

Now It's perfectly acceptable to use load if it does what you want (load html inside a container), but it's considered a Get type request. Some people for some reason thing POST is somehow more secure then GET, well it's not. Therefor if this makes your code easier to read and implement than it's fine.

Description: Load data from the server and place the returned HTML into the matched element.

http://api.jquery.com/load/

The last thing I will mention is be careful of SQLInjection:

What is SQL injection?

It's best to always make your queries prepared statements. It's a bit tricky for the ORDER BY and LIMIT clauses in a query. But because limit only accepts a number we can cast it to int (int), or use intval()

Cheers.

ArtisticPhoenix
  • 21,464
  • 2
  • 24
  • 38
  • 1
    I removed some stuff, I tend to over do it and it can confuse less advanced users. I always have to remind myself sometimes less is more... – ArtisticPhoenix Aug 17 '18 at 16:59