0

I use this query below to get users conversations:

SELECT DISTINCT id, receivern, receiver
FROM arany_conversations
WHERE sender = '$_SESSION[success]'
UNION
SELECT DISTINCT id, sendern, sender
FROM arany_conversations
WHERE receiver = '$_SESSION[success]'
ORDER BY id DESC

Here's 'arany_conversations' table contents: https://i.stack.imgur.com/3DZhr.png

And i use this PHP code:

foreach ($conversations as $conversation) {
    echo $conversation['receiver']."<br/>".$conversation['sender'];
}

But the results will be: https://i.stack.imgur.com/g7Mk9.png

Explanation: Results showing "sender" and "receiver" but only with this code:

echo $conversation['receiver'];

And "sender" will not be shown using this code:

echo $conversation['sender'];

I have tried to make the mentioned query be like sender AS A1 and receiver AS A2 but it's the same problem.

So how to show "sender" using $conversation['sender']; instead of using $conversation['receiver']; ?

I_I
  • 13
  • 1
  • 6
  • MInd the SQL injection.. Never trust the SESSION array to be safe because it isn't on [shared webhosting](https://stackoverflow.com/questions/18262878/how-to-prevent-php-sessions-being-shared-between-different-apache-vhosts/18263063#18263063) (post of mine) the $_SESSION array can be attacked. – Raymond Nijland Jan 16 '19 at 16:41
  • @RaymondNijland Thank you! I think i should use for example $username = mysqli_real_escape_string($db, $_SESSION['success']) - right? – I_I Jan 16 '19 at 16:46
  • No `mysqli_real_escape_string()` can also be unsafe when not setting a default charset (like the manual says) or if you use it in a wrong way `mysqli_real_escape_string()` only protects string data which is in single or double quotes.. The best method to prevent SQL injections is using [prepared statements](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Raymond Nijland Jan 16 '19 at 16:49
  • @RaymondNijland Thank you, I will take care about it! – I_I Jan 16 '19 at 16:51
  • always use prepared statements when accessing the database no exceptions.. Even when you assume the data is "safe" for example the data was already stored in the database.. if you don't use prepared statements then stored SQL injections (sometimes also called second order SQL injections) are possible. forgotten to mention posted as a extra warning. – Raymond Nijland Jan 16 '19 at 16:53
  • Roger that. Thanks! – I_I Jan 16 '19 at 16:55

1 Answers1

1

UNION always show the field on the first query. This is why sender does not exist. To get the two field names, you could do the following:

SELECT DISTINCT id, receivern, receiver, 0 as sender
FROM arany_conversations
WHERE sender = '$_SESSION[success]'
UNION
SELECT DISTINCT id, sendern, 0,sender
FROM arany_conversations
WHERE receiver = '$_SESSION[success]'
ORDER BY id DESC

I'm sorry for my bad English.

Mauricio Javier Biott
  • 230
  • 2
  • 12
  • Don't be sorry! Thank You so much! – I_I Jan 16 '19 at 16:30
  • MInd the SQL injection.. Never trust the SESSION array to be safe because it isn't on [shared webhosting](https://stackoverflow.com/questions/18262878/how-to-prevent-php-sessions-being-shared-between-different-apache-vhosts/18263063#18263063) (post of mine) the $_SESSION array can be attacked. – Raymond Nijland Jan 16 '19 at 16:42