Why is it not getting text from the database?

V

Vladislav Dolmat2020-02-16 21:55:11

PHP

Vladislav Dolmat, 2020-02-16 21:55:11

Does not display the text that is taken from the database. The connection is present, there are no errors in the requests, I checked it through print_r (), everything is filled.
Request code:

$u_r_name = $db->prepare('SELECT name FROM accounts WHERE mail="'.$_SESSION['mail'].'";');
$u_r_surname = $db->prepare('SELECT surname FROM accounts WHERE mail="'.$_SESSION['mail'].'";');

Output code:

<? if(empty($_SESSION['pid'])): ?>
            <div id="auth-block">
              <a href="/login" class="login-btn nav-desktop-menu-header">Войти</a>
              <a href="/registration" class="reg-btn nav-desktop-menu-header">Регистрация</a>
            </div>
          <? else: ?>
            <div id="account-info-block">
              <div class="dash-text" id="account-name"><? echo $u_r_name->execute() . ' ' . $u_r_surname->execute(); ?></div>
              
              <hr class="hr-mini" />
            </div>
          <? endif; ?>

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

F

FanatPHP, 2020-02-17
@Qushery

Horrible...

Or even so will I be at risk of sql injection?

prepare by itself does not protect against injection. From the fact that you replaced the word query with the word prepare, your queries will not become more secure.
prepare must be used correctly in order for prepare to work .
I generally keep quiet about the rest of the code. Why did you decide that execute displays some data? Why make two queries to get the same record?

$stmt = $db->prepare('SELECT name, surname FROM accounts WHERE mail=?');
$stmt->execute([$_SESSION['mail']]);
$user = $stmt->fetch();
<div class="dash-text" id="account-name"><?= $user['name'] . ' ' . $user['surname'] ?></div>