Hi /g/, could you please help me solve the following PHP/SQL problem?
I'm trying to match an array of integers with integers from an SQL database and echo them when they match.
I'm only posting the relevant stuff.<?php
session start();
include_once("php/connect.php");
?>
<!DOCTYPE HTML>
<html>
<table>
<thead>
<tr>
<th>Cart ID</th>
<th>User ID</th>
<th>User Name</th>
</tr>
<thead>
<tbody>
<?php
$cartSelect = "SELECT cart_id, cart_user_id FROM carts ORDER BY cart_id ASC";
$cartQuery = mysqli_query($connect, $cartSelect);
if($cartQuery) {
while($cartRow = $cartQuery -> fetch_object())
{
echo '<tr>';
echo '<td>'.$cartRow -> cart_id.'</td>';
echo '<td>'.$cartRow -> cart_user_id.'</td>';
$userSelect = "SELECT user_name FROM users WHILE '$cartRow -> cart_user_id' = user_id"; (<- XYZ)
$userQuery = mysqli_query($connect, $userSelect);
if($userQuery) {
while($userRow = $userQuery -> fetch_object())
{
echo '<td>'.$userRow -> user_name.'</td>';
}
}
echo '</tr>';
}
}
?>
</tbody>
</table>
</html>
However, when I do this I get the following error:Catchable fatal error: Object of class stdClass could not be converted to string in /srv/http/project/page.php on line XYZ
Obviously I am very much a beginner and I could use some help.
try this$userSelect = "SELECT user_name FROM users WHERE user_id = " . $cartRow->cart_user_id;
Also whoever told you to add a blankspace between the object operator is not your friend.
>>51913958
Oh wow, it works!
Thank you so much, I've been fucking around with this for ages now. Tried many different ways to do it at first and finally settled on what I first thought was logical yet it just didn't work because of this damn error.
Thank you so so much Anon, have a piglet.
>>51913958
>>51914018
Enjoy your SQL injection vulnerability.
No, srsly.
>>51913958
Yeah, also tryrequire($_GET('page');for awesome front controller action!
Don't forget to use register_globals, too! And magic quotes!
God DAMN IT PHP devs.
>>51915090
no op, but its obviously for a beginning class. he's just learning. sql's are p advanced
>>51915090
P.S. let me explain why it is in fact a SQL injection - unless you do have full control over contents of $cartSelect (which comes from the DB), you cannot trust that there's no SQLi here.
I.E. if your users are able to insert data to this table, then even if the data are properly escaped when inserting first time, they will come back to their original form when selected back from the DB - this is called "stored SQL injection'
Also, you have XSS in all the `echo '<td>'.$cartRow -> cart_id.'</td>';` lines.
Just grab Python and Django or Flask.
> Using PHP in 2015
> All those SQLi
> All those XSS
Srsly.
>>51915163
Does that mean PDO doesn't have parameter type binding?
>>51915163
This alone is why you simply shouldn't use PHP.
"Just sanitize everything and hope you don't miss anything!" just doesn't work.
>>51915144
>no op, but its obviously for a beginning class. he's just learning. sql's are p advanced
Then it's especially dangerous, since if it's only for a course, then OP learns all the bad and hellishly vulnerable stuff from the beginning.
Why not get it right and learn a safe way from the very beginning?
>>51915144
if you're going with PHP, atleast learn them PDO
>>51915197
Dunno, but op clearly concatenates raw SQL strings rather than using any API.
At least all the query parameters should be sanitized immediately before use.
But it's best to use 'bind parameters'.
