header page modification #11
Conversation
There was a problem hiding this comment.
-
Prepared statements with parameter binding: The code now uses prepared statements to prevent SQL injection attacks. It prepares the SQL query with placeholders and binds the parameters using
mysqli_stmt_bind_param(). -
Simplified SQL query: The code avoids unnecessary concatenation in the SQL query by using placeholders instead. This improves readability and reduces the risk of SQL injection.
-
Executing prepared statements: The prepared statement is executed using
mysqli_stmt_execute(), which runs the query with the bound parameters. -
Closing the prepared statement: After executing the prepared statement,
mysqli_stmt_close()is used to close the statement and free up resources. -
Combined similar queries: The code combines two similar queries into a single query using conditional logic. It checks the number of rows returned by the query and provides appropriate feedback based on the results.
-
Optimized variable usage: Unnecessary string concatenation and assignment for the
$MESSAGEvariable have been removed. The message is assigned directly based on the condition. -
Additional check for no results: A condition is added to reset the
$CATEGORY_SELECTEDvariable when no results are found. This ensures that the variable reflects the correct state.
| if (isset($_POST['addreview'])) { | ||
| if (!isset($_POST['productid']) || !isset($_POST['review'])) { | ||
| $MESSAGE_REVIEW = "Unable to Place Review!"; | ||
| } else { | ||
| $PRODUCT_ID = $_POST['productid']; | ||
| $USERNAME = $_SESSION['username']; | ||
| $PRODUCT_REVIEW = $_POST['review']; | ||
|
|
||
| $insert_review = "INSERT INTO `tblproductreviews`(`ProductID`, `Username`, `Review`) VALUES (?, ?, ?)"; | ||
| $stmt = mysqli_prepare($con, $insert_review); | ||
| mysqli_stmt_bind_param($stmt, 'iss', $PRODUCT_ID, $USERNAME, $PRODUCT_REVIEW); | ||
|
|
||
| if (mysqli_stmt_execute($stmt)) { | ||
| $MESSAGE_REVIEW = "Thank you for your review!"; | ||
| header('location: #.php'); | ||
| } else { | ||
| $MESSAGE_REVIEW = "Unable to Place Review!"; | ||
| header('location: #.php'); | ||
| } | ||
|
|
||
| mysqli_stmt_close($stmt); | ||
| } | ||
| } |
There was a problem hiding this comment.
Use prepared statements with parameter binding to prevent SQL injection.Removed unnecessary concatenation in the SQL query and used placeholders instead.Used mysqli_stmt_execute() to execute the prepared statement. Closed the prepared statement using mysqli_stmt_close()
| if (isset($_POST['search'])) { | ||
| $BIKE_TYPE = $_SESSION['bikeselected']; | ||
| $SEARCHED_VALUE = $_POST['searchproduct']; | ||
|
|
||
| $search_query = "SELECT * FROM `tblproducts` WHERE CONCAT(`ProductName`) LIKE '%" . $SEARCHED_VALUE . "%'"; | ||
| if ($BIKE_TYPE !== '') { | ||
| $search_query .= " AND ProductBikeType = '" . $BIKE_TYPE . "'"; | ||
| } | ||
|
|
||
| $result_products = mysqli_query($con, $search_query); | ||
| $ROWS = mysqli_num_rows($result_products); | ||
|
|
||
| if ($ROWS > 0) { | ||
| $MESSAGE = "We have found ('" . $ROWS . "') that matches:'" . $SEARCHED_VALUE . "' "; | ||
| $CATEGORY_SELECTED = '5'; | ||
| } else { | ||
| $MESSAGE = "No matching products found."; | ||
| $CATEGORY_SELECTED = ''; // Reset the category selection if no results found | ||
| } | ||
| } |
There was a problem hiding this comment.
Combined the two similar queries into a single query using conditional logic.Removed unnecessary string concatenation and assignment for the $MESSAGE variable.Added an additional check for the number of rows to provide appropriate feedback.Added a condition to reset the $CATEGORY_SELECTED variable when no results are found.
| } //$USER['EmailAddress'] = $E_MAIL | ||
| } //$USER | ||
| // if fields are filled | ||
| else if (!empty($USERNAME) || !empty($FIRST_NAME) || !empty($LAST_NAME) || !empty($E_MAIL) || !empty($PHONE_NUMBER) || !empty($PASSWORD) || !empty($RE_TYPE_PASSWORD)) { |
No description provided.