0

So I've been working on this website a long time but the problem is most of it is MYSQL, which of course isnt very secure, so now I'm trying to update all the PHP to PDO, so far I've only managed to get the connect.php working (in the first code below). My main issue is wthin the 2nd code below, on my reviews page I'm having a hard time fetching ALL the reviews from database including (cid,uid,username,date,message & rating) and then ORDER BY DESC, I have used multiple guides but they all seem to show a different way of doing it...

<?php

$host = 'localhost';
$dbuser = 'B99';
$dbpwd = 'testpass';
$dbname = 'admin';

//set DSN//
$dsn = 'mysql:host=' . $host .';dbname=' . $dbname;

//Create PDO instance//
//Attempt MySQL server connection.//
$pdo = new PDO($dsn, $dbuser, $dbpwd);
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
?>

and the FetchAll code here:

<?php 

include("/var/www/vhosts/myweb.co.uk/httpdocs/PHP/connect.php");

$sql = $pdo->query("SELECT * FROM `reviews` ORDER BY `cid` DESC");
$stmt = $pdo->prepare($sql);
$stmt->execute(['cid']);

$reviews = $stmt->fetchAll();
foreach ($reviews as $fetch) {

?>

<div class="eachreview" style="background-color:royalblue;">
<?php echo $fetch['rating']; ?>
<?php echo $fetch['uid']; ?>
<?php echo $fetch['message']; ?>
<?php echo date("d/m/Y" ,strtotime($fetch['date'])); ?>
</div>

<?php
} 
?>

UPDATED CODE Kinda working but displaying 1/1/1970 and no other data

<?php  
include("/var/www/vhosts/myweb.co.uk/httpdocs/PHP/connect.php");

$stmt = $dbh->prepare("SELECT * FROM `reviews` WHERE cid = :cid");
$stmt->execute(array(':cid' => "cid"));

$fetch = $stmt->fetchAll();
{
?>

THIS CODE BELOW WORKS! :)

<?php  
include("/var/www/vhosts/my-web.co.uk/httpdocs/PHP/connect.php");

$stmt = "SELECT * FROM `reviews`";
$result = $dbh->query($stmt);
foreach ($result as $fetch) {
?>

<?php echo $fetch['message']; ?>
Bboi1999
  • 1
  • 1
  • 7
  • Your query does not require any parameter, yet you pass a parameter to it. Either do not pass any parameter to the query or re-write the query so that it actually needs one, like `where cid=:cid` – Shadow Jul 20 '21 at 11:45
  • If you are using fetch mode `PDO::FETCH_OBJ`, then you access fields using `$fetch->rating` instead of `$fetch['rating']`. Know why you are doing something before you do it. And what is insecure about MySQL? Do you mean MySQLi? – Booboo Jul 20 '21 at 11:48
  • Okay thanks shadow I'll try this. Booboo I have asked a fair few questions on here and almost every single person says "MYSQL is depreciated and can easily be injected" etc so how is MYSQL not insecure? from what I've heard MYSQLi is more secure than MYSQL. – Bboi1999 Jul 20 '21 at 12:28
  • I just saw your comment. You need to precede my name with *@* as in *@Booboo* in your comment in order for me to get a notification that you have posted a new comment. Anyway, when you say "MySQLi is more secure than MYSQL", I just now realized that you were referring to functions like `mysql_create`, which have been deprecated. The database product is MySQL, the intefaces are MySQLi (with functions such as `mysqli_connect` or methods `mysqli::__construct()`), mysql, and PDO. Be aware of how you capitalize things; I am easily confused. :-) – Booboo Jul 24 '21 at 10:50

0 Answers0