adding values into an array using a while loop

Question

So what I'm trying to do is create a live friends search. To do this I need an array of names for AJAX to search through.

Heres my while loop.

if($_REQUEST['D'] == 'viewfriends') {
    $FREINDS = array();
    $FRIENDS_QUERY = "SELECT * FROM `FRIENDS` WHERE `USER` = '{$Modules['User']->Username}' AND `STATUS` = 'accepted' ORDER BY `ID` Limit 10 ;";
    $FRIENDS_RESULT = mysql_query($FRIENDS_QUERY);
    if(mysql_num_rows($FRIENDS_RESULT) > 0) {
        while($FRIENDS_ROW = mysql_fetch_assoc($FRIENDS_RESULT)) {
            $sql = "SELECT * FROM `USERS` WHERE `USERNAME` = '{$FRIENDS_ROW['FRIEND']}' ;";
            $REQUEST_ROW = mysql_fetch_assoc(mysql_query($sql));
            $FRIENDS = $REQUEST_ROW['USERNAME'];
        }
    echo json_encode($FRIENDS);
    } else {
        echo'<div class="update status">Sorry, You have no friends at this time. sadface.</div>';   
    }
}

I put the echo $FRIENDS in there as a test, right now it doesn't display anything. Where did I derp?

Is this your actual code? There's a spelling mistake here: $FREINDS = array();
Your code is open to SQL injections, and also, why are you using the ancient mysql_* functions ?
im confused on the injects because its just requesting information from the database. and what do you mean by ancient mysq functions?
also yes this is my code Colin, i did fix the spelling error. no dice there.

aSeptik · Accepted Answer · 2012-04-01 15:35:10Z

try this:

if($_REQUEST['D'] == 'viewfriends') {
    $FRIENDS = array();
    $USERNAME = $Modules['User']->Username;
    $SQL_QUERY = "SELECT F.*, U.* FROM FRIENDS AS F LEFT JOIN USER AS U ON F.USER = U.USERNAME WHERE F.USERNAME = '{$USERNAME}' AND STATUS = 'accepted' ORDER BY F.ID LIMIT 10";
    $RESULTS = mysql_query($SQL_QUERY);
    if(mysql_num_rows($RESULTS) > 0) {
        while($ROW = mysql_fetch_assoc($RESULTS)) {           
            $FRIENDS[] = $ROW['USERNAME'];
        }
        echo json_encode($FRIENDS);
    } else {
        echo'<div class="update status">Sorry, You have no friends at this time. sadface.</div>';   
    }
}

 $FRIENDS[] = $REQUEST_ROW['USERNAME'];

then print_r($FRIENDS); echo will output array you need to loop the array or echo json_encode($FRIENDS); to see something

also are you sure that USERNAME is uppercase and not just username in lowercase lowercase as well as for the table name.

also i think you can use a JOIN clause instead of making to SQL requests

yes, i use the same QUERY for other functions. i do all my tables and Columns in sql as UPPERCASE to avoid this :).
yes it works great now thank you! i am confused on your SQL query though
i have used a LEFT JOIN so you don't need to make two sql request to database.

Neograph734 · Answer 2 · 2012-04-01 15:14:54Z

up vote 2 down vote

You can't echo an array. You can use either print_r($friends) to display the whole row of fields requested in the query (you request *) or you can echo $friends['name'] (depending on how you declared name in your database)

answered Apr 1 '12 at 15:14

Neograph734
778318

Engineer · Answer 3 · 2012-04-01 15:18:26Z

up vote 1 down vote

You have syntax error:

$FREINDS = array(); should be $FRIENDS = array(); .

And also:

$FRIENDS = $REQUEST_ROW['USERNAME'] should be $FRIENDS[] = $REQUEST_ROW['USERNAME']

And

echo $FRIENDS; should be echo json_encode( $FRIENDS );

edited Apr 1 '12 at 15:18

answered Apr 1 '12 at 15:10

Engineer
14.7k11028

	thank you. but it did not fix my array problem unfortunately. – DJ_Plus Apr 1 '12 at 15:13
	@DJ_Plus See my update. – Engineer Apr 1 '12 at 15:18
	yes!! you are awesome! this worked perfectly :) – DJ_Plus Apr 1 '12 at 15:19

Anthony · Answer 4 · 2012-04-01 17:24:30Z

The PHP won't actually echo out an array. If you do an echo of an array, it outputs "Array". Plus your javascript wouldn't know what to do with a PHP array if it did pass it that way.

Try:

echo(json_encode($FRIENDS));

Also, you should really listen to the feedback in the comments. Your code is very vulnerable to attack and not set up to scale well for such a potentially huge app.

You have a couple of issues that make your code either less secure or less efficient. The most obvious inefficiency is that you are doing a database call inside your while loop, so if someone has 10 friends, that means you've done 11 database queries when you may have only needed one or two. Here are the two queries:

SELECT * FROM `FRIENDS` 
WHERE `USER` = '{$Modules['User']->Username}' 
AND `STATUS` = 'accepted' ORDER BY `ID` Limit 10

SELECT * FROM `USERS` WHERE `USERNAME` = '{$FRIENDS_ROW['FRIEND']}'

So before we determine if these two can be combined, the first big red flag is the SELECT *. I use it all of the time, but it will get you kicked out of the better database bars. In your case, it's really unnecessary. We know from the second query that the only thing you are using from the first query is the $FRIENDS_ROW['FRIEND'] to match against the USERNAME. So that first query can become:

SELECT FRIEND FROM `FRIENDS` 
WHERE `USER` = '{$Modules['User']->Username}' 
AND `STATUS` = 'accepted' ORDER BY `ID` Limit 10

You also have the SELECT * in the second query, and we can tell that (for now) the the only thing you are using is the USERNAME, so it can become:

SELECT USERNAME FROM `USERS` WHERE `USERNAME` = '{$FRIENDS_ROW['FRIEND']}'

Finally, we can see from the second query that the FRIEND name and the USERNAME are identical; otherwise why would you query for the usernames where the username equals the friend name. If that's the case, we can drop your second query completely, since we already know the usernames from the first query.

The reason why it's both inefficient and unsafe is because you are using the OG mysql functions, which are clunky and don't offer the option of prepared statements. Prepared statements let you (among other things) put variables in your query in such a way that when you actually call the query, the parts that are variables are known and can thus be sanitized, avoiding the horrors of mysql injections that everyone has mentioned.

I won't bore you with the play-by-play, but here is what your code might look like if you used the newer mysqli library with a prepared statement:

if($_REQUEST['D'] == 'viewfriends') {

    $friends = array();

    $friend_lookup = $mysqli->prepare("SELECT FRIEND FROM FRIENDS WHERE 
                                               USER = ? AND STATUS = 'accepted' 
                                               ORDER BY FRIEND");

    $friend_lookup -> bind_param('s', $userName);
    $userName = $Modules['User']->Username;

    $friend_lookup -> execute();
    $friend_lookup -> bind_result($friend);

    while($friend_lookup -> fetch()) {
        $friends[] = $friend;
    }

    if($friends) {
        echo json_encode($friends);
    } else {
        echo "Sorry, no friends. Boo.";
    }
}

thank you, and im trying to figure out where i am vulnerable? im sorry if i dont understand, i really do appreciate everone on here giving me advice.
I used the json_encode function because you said you were looking for an ajax solution. Obviously, it's not pretty if you're just trying to confirm the array is being built, in which case go with print_r(). But your javascript will understand the json better.
ok i understand the json_encode but everyone keeps saying my code is vulnerable for attack? why is that?
@DJ_Plus - I've updated my answer as these comment boxes are too small.
wow, thank you very much! i obviously need to revisit my mysql skills.

asked	1 year ago
viewed	1014 times
active	1 year ago

adding values into an array using a while loop

4 Answers

Your Answer

Not the answer you're looking for? Browse other questions tagged php mysql arrays while-loop or ask your own question.

Community Bulletin

adding values into an array using a while loop

4 Answers

Your Answer

Sign up or log in

Post as a guest

Not the answer you're looking for? Browse other questions tagged php mysql arrays while-loop or ask your own question.

Community Bulletin

Related