1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

use if else for checking if value in db table column

Discussion in 'PHP' started by Ian Haney, Mar 28, 2020.

  1. #1
    Quick question, can I use php if and else to display alternate text for example say if there is a filename in the db table column then display the filename but if not a filename in the db table column and it's empty then not to display anything

    Is the following code the right way to do it or should it be different?


    <?php if (!empty($row->file_name))
    echo "<br><br>";
    echo html_entity_decode($row->file_name)
    ?>
    PHP:
    Just found a issue with my query, I noticed that the filename is being displayed on the original message when a reply is added with a file upload if that makes sense. I think it because my query is linking the ticket_id on support_tickets to the ticket_id on the support_tickets_files so it's doing it's job and displaying the filename but need it to display the filename just for that specific message if that makes sense

    Below is the query I have


    SELECT support_tickets.ticket_id, support_tickets.ticket_subject, support_tickets.ticket_message, support_tickets.ticket_status, DATE_FORMAT(support_tickets.created_at,'%d/%m/%Y \at\ %H:%i:%s') AS created_at, DATE_FORMAT(support_tickets.ticket_timestamp,'%d/%m/%Y %H:%i:%s') AS ticket_timestamp, support_ticket_files.file_name, support_tickets.user_name
    FROM
    support_tickets LEFT JOIN support_ticket_files
    ON support_tickets.ticket_id=support_ticket_files.ticket_id
    WHERE
    support_tickets.ticket_id = ".$_GET['ticket_id']." AND
    support_tickets.user_name = '".$_SESSION["user_name"]."'
    PHP:
    Sorry thought I had won with that issue
     
    Last edited: Mar 28, 2020
    Ian Haney, Mar 28, 2020 IP
  2. SpacePhoenix

    SpacePhoenix Well-Known Member

    Messages:
    196
    Likes Received:
    28
    Best Answers:
    2
    Trophy Points:
    155
    #2
    You have a much bigger issue, a vulnerability to SQL Injection attacks from just plugging in user submitted data ( the $_GET['ticket_id'] ) into the query without the use of prepared statements or any attempt to sanitize the value. NEVER trust any user submitted data, no matter how well you trust the user!!!!!
     
    SpacePhoenix, Mar 28, 2020 IP
  3. Ian Haney

    Ian Haney Banned

    Messages:
    131
    Likes Received:
    10
    Best Answers:
    0
    Trophy Points:
    78
    #3
    @SpacePhoenix would the following code be better then?


    $username = $_SESSION['user_name'];
    $ticket_id =$_GET['ticket_id'];
    
    SELECT support_tickets.ticket_id, support_tickets.ticket_subject, support_tickets.ticket_message, support_tickets.ticket_status, DATE_FORMAT(support_tickets.created_at,'%d/%m/%Y \at\ %H:%i:%s') AS created_at, DATE_FORMAT(support_tickets.ticket_timestamp,'%d/%m/%Y %H:%i:%s') AS ticket_timestamp, support_ticket_files.file_name, support_tickets.user_name
    FROM
    support_tickets LEFT JOIN support_ticket_files
    ON support_tickets.ticket_id=support_ticket_files.ticket_id
    WHERE
    support_tickets.ticket_id = ? AND
    support_tickets.user_name = ?
    
    $stmt->bind_param("is", $ticket_id, $username);
    $stmt->execute();
    $result = $stmt->get_result();
    if($result->num_rows === 0) exit('No rows');
    $row = $result->fetch_assoc();
    PHP:
     
    Ian Haney, Mar 28, 2020 IP
  4. sarahk

    sarahk iTamer Staff

    Messages:
    28,494
    Likes Received:
    4,457
    Best Answers:
    123
    Trophy Points:
    665
    #4
    @Ian Haney use https://www.php.net/manual/en/function.filter-input.php to sanitise your inputs
    with $ticket_id you can be lazy and at least put an intval around it but do it properly.

    if you need an if in your code you can use a case statement. Here's one I've got in code I'm working on at the moment

           $relevance[] = "(CASE WHEN REPLACE(Individuals.phone,' ','') = '{$testphone}' OR CONCAT(Individuals.phonesuffix, REPLACE(Individuals.phone,' ','')) = '{$testphone}' THEN 1 ELSE 0 END)";
                    $relevance[] = "(CASE WHEN REPLACE(Individuals.mobile,' ','') = '{$testphone}' OR CONCAT(Individuals.mobilesuffix, REPLACE(Individuals.mobile,' ','')) = '{$testphone}' THEN 1 ELSE 0 END)";
    
    Code (markup):
     
    sarahk, Mar 28, 2020 IP
  5. Ian Haney

    Ian Haney Banned

    Messages:
    131
    Likes Received:
    10
    Best Answers:
    0
    Trophy Points:
    78
    #5
    Sorry this is going over my head now

    I done the following

    $username = $_SESSION['user_name'];
    $ticket_id = filter_input(INPUT_GET, 'ticket_id', FILTER_SANITIZE_STRING);
    PHP:
    I think I am going to need to hire someone to do this for me to make it secure and work properly as I can't do this
     
    Ian Haney, Mar 28, 2020 IP
  6. sarahk

    sarahk iTamer Staff

    Messages:
    28,494
    Likes Received:
    4,457
    Best Answers:
    123
    Trophy Points:
    665
    #6
    Baby steps, you'll get there!
     
    sarahk, Mar 28, 2020 IP
  7. Ian Haney

    Ian Haney Banned

    Messages:
    131
    Likes Received:
    10
    Best Answers:
    0
    Trophy Points:
    78
    #7
    Will take me to long of a time I think as getting really lost with what I need to do with it now and is not good having the code being unsecure and can't work out some of the prepared statement code, I tried it but the ticket message did not show and not really got a clue how to do it using prepared statements
     
    Ian Haney, Mar 28, 2020 IP
  8. deathshadow

    deathshadow Acclaimed Member

    Messages:
    9,732
    Likes Received:
    1,998
    Best Answers:
    253
    Trophy Points:
    515
    #8
    This:

    Is pretty much gibberish, you're mixing and matching three different ways of accessing a database -- mysql_, mysqli, and PDO. Which are you actually using?
     
    deathshadow, Apr 1, 2020 IP
  9. Efetobor Agbontaen

    Efetobor Agbontaen Active Member

    Messages:
    136
    Likes Received:
    41
    Best Answers:
    5
    Trophy Points:
    85
    #9
    I might not be reading it correctly but your code should have an else section like this:
    <?php
    if (!empty($row->file_name))
    echo "<br><br>";
    else
    echo html_entity_decode($row->file_name)
    ?>
    PHP:
    Then you can fix the security bugs afterwards
     
    Efetobor Agbontaen, Jul 8, 2020 IP