unable to print the chat_message data from the database server of the both sender and receiver

Question

I have a table in my database with the name of chat_message,

i am storing into the chat_message column, sender id as from_user_id , receiver id as to_user_id and the chat_message,

Here i am using this code to fetch all the chat_message.

<?php 
session_start();
require_once('include/dbcon.php');
$session_to_user_id = $_SESSION['session_to_user_id'];
$session_id = $_SESSION['id'];
// fetching chat message of sender
$query = "SELECT * FROM `chat_message` WHERE `from_user_id`='$session_id' AND `to_user_id` = '$session_to_user_id' order by `chat_message_id` asc ";
// fetching chat message of receiver
$query1 ="SELECT * FROM `chat_message` WHERE `from_user_id`='$session_to_user_id' AND `to_user_id` = '$session_id' order by `chat_message_id` asc ";
$run = mysqli_query ($con,$query);
$run1 = mysqli_query($con,$query1);
while($data = mysqli_fetch_assoc($run) AND $data1 = mysqli_fetch_assoc($run1)){
    $chat_message = $data['chat_message'];
    $chat_message1 = $data1['chat_message'];
    ?>
    <p>

        <div class="chat">
            <div class="bubble you black-text">
            <?php                  
                   echo $chat_message;
                 ?>
            </div>

            <div class="bubble me black-text">
                 <?php
                 echo $chat_message1;
                 ?>
            </div>
        </div>
    </p>
<?php 
}
?>

The code is working but.

When one person send a message to another message then the message is displaying into chat box.

But when he send message again to the second user then the message is not displaying.

But when first user and second user sending single message in queue the script is working fine.

But when a user send more than one message then the problem occurred.

here i want only print the chat_message of the sender on right hand side and the receiver message to the left hand side.

At the end i have use division chat to print the chat_message of the sender on right hand side and the receiver message to the left hand side.

Your code is vulnerable to SQL injection. You should use prepared statements. — Dharman, Nov 21 '19 at 09:09
@Dharman how can it be vulnerable if the input is via SESSION variables? I do not see any GET or POST vars there concatenating the string. — , Nov 21 '19 at 09:44
The code is vulnerable not when you accept GET or POST data, but when you put variable data into SQL query. In this case you have variables from SESSION and instead of binding them like you should, you put them directly in SQL making the code vulnerable. — Dharman, Nov 21 '19 at 09:46
@user1888089 Where did you get such an idea from? Injection can happen within the code too, without any outside interaction. See posts such as: [Can someone perform a SQL Injection based on session variables in php?](https://stackoverflow.com/q/24587418/1839439) [What is SQL injection?](https://stackoverflow.com/q/601300/1839439) — Dharman, Nov 21 '19 at 09:56

score 0 · Accepted Answer · edited Nov 21 '19 at 19:01

I did it.

<?php 
session_start();
require_once('include/dbcon.php');
$session_to_user_id = $_SESSION['session_to_user_id'];
$session_id = $_SESSION['id'];
// fetching chat message of sender and receiver both.
$query = "SELECT * FROM `chat_message` WHERE (`from_user_id`='$session_id' AND `to_user_id` = '$session_to_user_id') || (`from_user_id`='$session_to_user_id' AND `to_user_id` = '$session_id') order by `chat_message_id` asc ";
$run = mysqli_query($con,$query);
while($data = mysqli_fetch_assoc($run)){
    $chat_message = $data['chat_message'];
    $from_user_id = $data['from_user_id'];
    $to_user_id = $data['to_user_id'];
    ?>
    <p>

        <div class="chat">
        <?php if($from_user_id == $session_id){ ?>
            <div class="bubble you black-text">
            <?php                  
                    echo $chat_message;
                 ?>
            </div>
       <?php } ?>

       <?php if($from_user_id !== $session_id){ ?>
            <div class="bubble me black-text">
            <?php                  
                    echo $chat_message;
                 ?>
            </div>
       <?php } ?>
        </div>
    </p>
<?php 
}
?>

unable to print the chat_message data from the database server of the both sender and receiver

1 Answers1