0

i have a sample code for a "show more" button and i want to change it for "show older" messages in a message page and place button in the top of messages. the sample code is used to display previous posts: a.php:

<div  id="comnts"></div>
<button id="btn" >load more</button>
<script>
$(document).ready(function() {
  var comco = 5;
  var offset = 0;
  $("#btn").click(function() {
    $.ajax({
        method: "POST",
       url: "b.php",
        data: { comnco: comco, offset: offset }
      })
      .done(function(msg) {
        $("#comnts").append(msg);
      });
    offset = offset + comco;
  });

  $("button").trigger("click");
});
</script>

b.php:

$comnco=$_POST['comnco'];
$offset=$_POST['offset'];

$rzp=mysqli_query($conn,"
SELECT * FROM `tbl_users_posts` WHERE uid in (SELECT frname FROM t_frnd WHERE uname='$uid') UNION 
SELECT * FROM `tbl_users_posts` WHERE uid='$uid' ORDER BY id DESC limit $offset, $comnco");

I am not a professional programmer and I created this code with help. i tried to change the mysql code. this code shows what i want but does not work properly:

$rzp=mysqli_query($conn,"SELECT * FROM t_msg WHERE
 id >   ((SELECT MAX(id) FROM t_msg) - '$comnco') 
    AND ( (for_u=1 AND u_sender=2) 
    OR  (for_u=2 AND u_sender=1) )");

a sample code for doing this with button or scroll olso helps me. thanks

11111111111111111
  • 158
  • 9
  • 1
    Not an answer to your question, but your code is SQL injectable. For more details, look here: https://stackoverflow.com/questions/601300/what-is-sql-injection – Manuel Mannhardt Apr 10 '19 at 07:07
  • 1
    use PDO instead – Deepak A Apr 10 '19 at 07:08
  • please post your table schema and html code – Deepak A Apr 10 '19 at 07:09
  • @Deepak you want all codes to use for your self? – 11111111111111111 Apr 10 '19 at 07:22
  • @behzad the above code is not completely addressing your problem – Deepak A Apr 10 '19 at 07:25
  • @Manuel Mannhardt SQL injectable works somethings like instead for ajax? – 11111111111111111 Apr 10 '19 at 07:26
  • 1
    SQL injection is a vulnerability in your code, which lets users execute sql statements, because you did not validate/escape your user input. Therefore the attacker can delete your tables, modify them or read all of your data. – Manuel Mannhardt Apr 10 '19 at 07:28
  • @Deepak my problem is in mysql code and maybe jquery. why u need html for that? – 11111111111111111 Apr 10 '19 at 07:30
  • What does $offset, $comnco represents? – sonny Apr 10 '19 at 07:36
  • @Manuel Mannhardt thanks this is helpfull. i'm trying to learn SQL injection can you show me a simple example of the code to see what to learn or simple training for it ? i cant find it – 11111111111111111 Apr 10 '19 at 07:36
  • @PSone https://www.w3schools.com/php/php_mysql_select_limit.asp – 11111111111111111 Apr 10 '19 at 07:38
  • Why don't you just use ASC instead of DESC in your sql statement to retrieve the messages in reverse chronological order? (I am assuming "show more" = showing latest messages first) – sonny Apr 10 '19 at 07:41
  • @Manuel Mannhardt "Is using an SQL injection on someone else's website considered illegal?" https://www.quora.com/Is-using-an-SQL-injection-on-someone-elses-website-considered-illegal – 11111111111111111 Apr 10 '19 at 07:43
  • @PSone becaus i need to show for example 100-99-..95 then show 94-...-90 and... that way dont do that – 11111111111111111 Apr 10 '19 at 07:46
  • 1
    Sure it´s illegal, if you corrupt someones website and/or steal data from them. – Manuel Mannhardt Apr 10 '19 at 08:10
  • 1
    What I said was, that YOUR code is vulnerable to it, not that you should attack someone. Just because it is illegal, wont stop someone from doing it. – Manuel Mannhardt Apr 10 '19 at 08:11
  • @Manuel Mannhardt i read some about that and you mean if i use SQL injectable for my site nobody can attack my database? if i use some name for tables and rows like this: kj4dd8fk4nkd... it can help or attaker no need to guess my tables and rows name? – 11111111111111111 Apr 10 '19 at 08:19
  • 1
    He does not need to know your table names, you can extract them from schema db. All you need to do, to prevent this kind of attack, is escape/validate your user input. You should use PDO for database actions. It has prepared statements, which do all those things for you. Don´t forget to use real prepared statements, not emulated ones (google helps with this). – Manuel Mannhardt Apr 10 '19 at 08:26

0 Answers0