V
V
Vladislav Dolmat2020-02-16 21:55:11
PHP
Vladislav Dolmat, 2020-02-16 21:55:11

Why is it not getting text from the database?

Does not display the text that is taken from the database. The connection is present, there are no errors in the requests, I checked it through print_r (), everything is filled.
Request code:

$u_r_name = $db->prepare('SELECT name FROM accounts WHERE mail="'.$_SESSION['mail'].'";');
$u_r_surname = $db->prepare('SELECT surname FROM accounts WHERE mail="'.$_SESSION['mail'].'";');

Output code:
<? if(empty($_SESSION['pid'])): ?>
            <div id="auth-block">
              <a href="/login" class="login-btn nav-desktop-menu-header">Войти</a>
              <a href="/registration" class="reg-btn nav-desktop-menu-header">Регистрация</a>
            </div>
          <? else: ?>
            <div id="account-info-block">
              <div class="dash-text" id="account-name"><? echo $u_r_name->execute() . ' ' . $u_r_surname->execute(); ?></div>
              
              <hr class="hr-mini" />
            </div>
          <? endif; ?>

Answer the question

In order to leave comments, you need to log in

1 answer(s)
F
FanatPHP, 2020-02-17
@Qushery

Horrible...

Or even so will I be at risk of sql injection?

prepare by itself does not protect against injection. From the fact that you replaced the word query with the word prepare, your queries will not become more secure.
prepare must be used correctly in order for prepare to work .
I generally keep quiet about the rest of the code. Why did you decide that execute displays some data? Why make two queries to get the same record?
$stmt = $db->prepare('SELECT name, surname FROM accounts WHERE mail=?');
$stmt->execute([$_SESSION['mail']]);
$user = $stmt->fetch();
<div class="dash-text" id="account-name"><?= $user['name'] . ' ' . $user['surname'] ?></div>

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question