0
+----+--------+----------+---------------+---------+
| id | userId | friendId | friendRequest | friends |
+----+--------+----------+---------------+---------+
| 1  | 1      | 3        | true          | false   |
+----+--------+----------+---------------+---------+

This is what I want. However, on page refresh, it seems that if you request ANYONE as a friend, it will somehow return every user as '$friendRequest' = true and '$friends' = false, despite the database not listing those users at all...

friends.php

// Connect to USERS table
$userId = $_SESSION['id'];
$con    = mysqli_connect("localhost", "root", "admin123", "master");
$sql    = "SELECT * FROM users ORDER BY id DESC";
$result = mysqli_query($con, $sql);

// Connect to FRIENDS table
$sqli          = $con->query("SELECT * FROM friends");
$data          = $sqli->fetch_array();
$friendRequest = $data['friendRequest'];
$friends       = $data['friends'];

// Build USERS table
while ($row = mysqli_fetch_array($result)) {
    $profile   = $row['profile'];
    $id        = $row['id'];
    $firstName = $row['firstName'];
    $lastName  = $row['lastName'];
    $city      = $row['city'];
    $state     = $row['state'];
    $bio       = $row['bio'];

    // Exclude user profile, current friends, and active friend requests

    if ($id !== $userId && $friends !== "true" && $friendRequest !== "true") {

        echo "
   <div class='card m-0'>
      <div class='text-center align-middle bg-white pt-3 pb-3'>
         <img class='circle border mx-auto' style='width: 100px; height: 100px; object-fit: cover;' src='profile_pics/" . $profile . "'>
         <h4 class='text-black font-weight-bolder'>" . $firstName . " " . $lastName . "</h4>
      <div class='h7'><i class='fas fa-map-marker-alt text-danger'></i> " . $city . ", " . $state . "</div>
         <form action='friends.php' method='post'>
            <a href='request.php?id=" . $id . "' class='btn btn-primary mx-auto mt-3'>Send Friend Request</a>
         </form>
      </div>
   </div>";

    } else {
        echo "Friend request: " . $friendRequest . "<br>Friends? " . $friends . "<br>";
    }
}

request.php

<?php
     require "functions.php";
     require "logincheck.php";

  $userId = $_SESSION['id'];
  $friendId = $_GET['id'];
  $con = mysqli_connect("localhost", "root", "", "master");
  $sqli = ("INSERT INTO friends (userId, friendId, friendRequest, friends) VALUES ('$userId', '$friendId', 'true', 'false')");
  mysqli_query($con, $sqli);

  header("Location: friends.php");

?>
  • Why are you using two different methods of connecting to the database? It’s very confusing, and both me methods are insecure. – ezra Nov 17 '19 at 17:51
  • Ok— even still, I’m confused. What is supposed to be the output? What is the actual output? – ezra Nov 17 '19 at 18:02
  • 3
    **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Nov 17 '19 at 22:20

1 Answers1

0

After you fetch the first line of the friends table and set the variables $friendRequest and $friends they represent the relation between user 1 and user 3. When you start looping over all users you never change these values, so they will still represent the relation between those users even if you check e.g. user 2.

I guess what you want is to select all (pending) friend requests for the specific user (SELECT * FROM friends WHERE userId = ? - make sure to used prepared statements!) and later in your loop, check if the user you are currently looping appears in the result of your friends-query. If yes, you already sent him a friend request.

Christoph
  • 524
  • 10
  • 19