displaying specific records of a uses

Question

guys please check my codes in displaying record..

<?php

include("db.php"); 
$username=$_POST['username']; 
$email=$_POST['email'];

$query="SELECT * FROM members where username = '$username'";

$result=mysql_query($query); 
$num=mysql_numrows($result);

mysql_close();


?> <br /> <p></p>

Welcome back! Your details below: <br /><br /> 

<table border="1" cellspacing="2" cellpadding="5"> 
<tr> 
 <th>First Name</th> 
 <th>Last Name</th>
 <th>User Name</th>
 <th>Email</th> 
 <th>Age</th> 
</tr>

<?

$i = 0;

while ($i < $num) {

$firstname=mysql_result($result, $i, 'firstname'); 
$lastname=mysql_result($result, $i, 'lastname'); 
$username=mysql_result($result, $i, 'username'); 
$email=mysql_result($result, $i, 'email'); 
$age= mysql_result($result, $i, 'age');

?>

 <tr> 
   <td><? echo $firstname ?></td> 
   <td><? echo $lastname ?></td>
   <td><? echo $username ?></td>
   <td><? echo $email ?></td>
   <td><? echo $age ?></td>
 </tr>

<?

$i++;

}

echo "</table>"; ?>

is it correct?

:-(

Answer 1

Your code is not correct.

phpcs test.php 

FILE: /tmp/test.php
--------------------------------------------------------------------------------
FOUND 4 ERROR(S) AND 1 WARNING(S) AFFECTING 4 LINE(S)
--------------------------------------------------------------------------------
  2 | ERROR   | Missing file doc comment
  3 | ERROR   | "include" is a statement, not a function; no parentheses are
    |         | required
  3 | ERROR   | File is being unconditionally included; use "require" instead
 25 | ERROR   | Short PHP opening tag used. Found "<?" Expected "<?php".
 29 | WARNING | Inline control structures are discouraged
--------------------------------------------------------------------------------

Answer 2

There's nothing fatally wrong with your code but there's a few very basic alterations i would make:

<?php

include "db.php"; 
$username=$_POST['username']; 
$email=$_POST['email'];

// added mysql_real_escape_string to prevent sql injection
$query="SELECT * FROM `members` where `username` = '".mysql_real_escape_string($username)."'";

// added an or die clause to check for SQL errors
$result=mysql_query($query)or die(mysql_error());

// use of mysql_fetch_assoc to put user data into associative array
$user = mysql_fetch_assoc($result);
mysql_close();
?> <br /> <p></p>

Welcome back! Your details below: <br /><br /> 

<table border="1" cellspacing="2" cellpadding="5"> 
<tr> 
 <th>First Name</th> 
 <th>Last Name</th>
 <th>User Name</th>
 <th>Email</th> 
 <th>Age</th> 
</tr>

<?php
// removed unnecessary loop as i'd assume the username will only be in the database once
$firstname= $user['firstname']; 
$lastname= $user['lastname']; 
$username= $user['username']; 
$email= $user['email']; 
$age= $user['age']; 
?>

 <tr> 
   <td><? echo $firstname ?></td> 
   <td><? echo $lastname ?></td>
   <td><? echo $username ?></td>
   <td><? echo $email ?></td>
   <td><? echo $age ?></td>
 </tr>
</table>

Answer 3

$username=$_POST['username']; $email=$_POST['email'];

$query="SELECT * FROM members where username = '$username'";

Search stackoverflow for "sql injections" and maybe also for "prepared statements".

<td><? echo $firstname ?></td> 

The same way your sql statement is prone to sql injections this line might be the cause for injections into your html code. Use <td><?php echo htmlspecialchars($firstname); ?></td> instead.

---

$email=$_POST['email'];

Why is that in there? You don't use $email again until $email=mysql_result($result, $i, 'email');. My guess is your original query tested for both the username and the email address?

$i = 0;
while ($i < $num) {
   mysql_result($result, $i,
   i++
   ...

How many members with the same username can there be in your database table? More than one? If not, why do you use the while loop?

$firstname=mysql_result($result, $i, 'firstname'); 
$lastname=mysql_result($result, $i, 'lastname'); 
$username=mysql_result($result, $i, 'username'); 
$email=mysql_result($result, $i, 'email'); 
$age= mysql_result($result, $i, 'age');

Instead of five calls to mysql_result() one call to mysql_fetch_array() would suffice. Speed is probably not an issue here but again it adds a tiny bit of complexity that seems unnecessary to me and when you use mysql_fetch_xyz() you only have one variable (an array or an object) to worry about instead of #columns variables