Help replacing hard coded values in SQL statements

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
johnnyutah1980
Forum Newbie
Posts: 1
Joined: Mon Jan 30, 2012 11:13 am

Help replacing hard coded values in SQL statements

Post by johnnyutah1980 »

Hi all,

I have created a successful registration and login page for what will eventually be a squash league website.

I am struggling with the following issue.

When a player logs in using their email address and password I want to populate some drop down boxes which are relevant to the person who has just logged in.

These drop downs should show all the leagues the logged in user belongs to and the other drop down should show all the players the currently logged in player has ever played against so that they could view a head to head.

So my code works but currently I have the id of the player who has logged in hard coded in my sql statements.

I'm wondering if anyone can help me so that I can pass in the id of the player who is logged in as obviously the whole site is not going to work with hard coded values.

The code is as follows:

Code: Select all

<?php

include_once $_SERVER['DOCUMENT_ROOT'] . '/includes/magicquotes.inc.php';

require_once $_SERVER['DOCUMENT_ROOT'] . '/includes/access.inc.php';

if (!userIsLoggedIn())
{
 include 'login.html.php';
 exit();
}

if (!userHasRole('Squash Administrator'))
{
 $error = 'This page is only for Squash Administrators.';
 include 'accessdenied.html.php';
 exit();
}

if(isset($_REQUEST['email']))
{
 include $_SERVER['DOCUMENT_ROOT'] . '/includes/db.inc.php';
 
 $email = mysqli_real_escape_string($link, $_REQUEST['email']);
 $sql = "SELECT id, firstname, lastname, email FROM player WHERE email = '$email'";
 $result = mysqli_query($link, $sql);
 if(!$result)
 {
  $error = 'Unable to select players firstname from the database.' . mysqli_error($link);
  include 'error.html.php';
  exit();
 }
 
 while($row = mysqli_fetch_array($result))
 {
  $players[] = array('id' => $row['id'], 'firstname' => $row['firstname'], 'lastname' => $row['lastname'], 'email' => $row['email']);
 }

 //
 //POPULATE THE OPPONENTS DROP DOWN BOX TO SHOW ALL PREVIOUS OPPONENTS
 //

 $sqlid = "SELECT id FROM player WHERE email = '$email'";
 $playerid = mysqli_query($link, $sqlid);
 $sql = "SELECT DISTINCT player.firstname, game.player2_id AS opponent_id
 
				FROM player INNER JOIN game
                
                ON player.id = game.player2_id
		
				WHERE player1_id = '$row['id']'
		
				UNION
		
				SELECT DISTINCT player.firstname, game.player1_id AS opponent_id
		
				FROM player INNER JOIN game
                
                ON player.id = game.player1_id
		
				WHERE player2_id = '$row['id']'";
				
 $result = mysqli_query($link, $sql);
 if(!$result)
 {
  $error = 'Unable to populate the players dropdown from the database.' . mysqli_error($link);
  include 'error.html.php';
  exit();
 }
 
 while($row = mysqli_fetch_array($result))
 {
  $opponents[] = array('id' => $row['opponent_id'], 'firstname' => $row['firstname']);
 }

include 'squash.html.php';

}

?>
Thanks for your time and help in advance.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Help replacing hard coded values in SQL statements

Post by Celauran »

I'm not seeing anything hard-coded in the code you posted. I do see a needless query, though; $sqlid fetches information you already got when you processed the login.
Post Reply