Display data to Logged In User - PHP

Question

I am creating a page that will display the login history. My code currently displays all logs and should only display the log history from the logged-in user.

Database -> Logs:

log_id | user_email | ip_address | time 
-------+------------+------------+-----
  1    | ml@a.com   | 123.13.13  | 1:30

LogHistory.php page:

<?php
    $stmt = $dbh->prepare("SELECT * FROM Logs ORDER BY log_id ASC");
    $stmt->execute();
    if ($stmt->rowCount() == 0) {
        echo 'Log history are empty.';
    } else {
        // Data we collected from the registered user
    }
?>

I have tried this code:

<?php
$LoggedInUser = $_SESSION['user'];
$stmt = $dbh->prepare("SELECT * FROM Logs WHERE user_email = $LoggedInUser ORDER BY log_id ASC");
$stmt->execute();
if ($stmt->rowCount() == 0) {
    echo 'Log history are empty.';
} else {
    // Data we collected from the registered user
}
?>

With the above code I get this error message:

PHP Fatal error:  Uncaught PDOException: SQLSTATE\[42000\]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ':user@example.com ORDER BY log_id ASC'

Have you tried wrapping your user E-Mail into `' '`? Also, please do yourself a favor and read up on SQL Injections. — Refugnic Eternium, Nov 03 '22 at 14:43
Assuming that you are using PDO .... in the select statement, Change $LoggedInUser to :LoggedInUser , and then change $stmt->execute(); to $stmt->execute(['LoggedInUser' => $LoggedInUser]); — Ken Lee, Nov 03 '22 at 14:44
Check out the top tutorial on the [mysqli::prepare help page](https://www.php.net/manual/en/mysqli.prepare.php) where it shows how to use `bind_param` to get your `$LoggedInUser` into your sql statement properly. You are trying to do concatenation here (incorrectly) which will lead to a sql injection attack vector. — JNevill, Nov 03 '22 at 14:46
I have tried to change ```$LoggedInUser``` with the user email but the error is the same. @RefugnicEternium — Zorgs, Nov 03 '22 at 14:47
@Zorgs, my issue was not with the variable, it was with the missing string ticks. Though you really should try out prepared statements. — Refugnic Eternium, Nov 03 '22 at 14:48
Does this answer your question ? [How can I properly use a PDO object for a parameterized SELECT query](https://stackoverflow.com/questions/767026/how-can-i-properly-use-a-pdo-object-for-a-parameterized-select-query) — Ken Lee, Nov 03 '22 at 14:58

score -1 · Accepted Answer · answered Nov 03 '22 at 14:46

You just need to use parameters with prepared statements

<?php
    $LoggedInUser = $_SESSION['user'];
    $stmt = $dbh->prepare("SELECT * FROM Logs WHERE user_email = ? ORDER BY log_id ASC");
    $stmt->execute([$LoggedInUser]);
    if ($stmt->rowCount() == 0) {
        echo 'Log history are empty.';
    } else {
        // Data we collected from the registered user
    }
?>

Here live PHP code

Display data to Logged In User - PHP

1 Answers1