PHP echo all data from database based on input

Question

I want to find out how to output data from database based on a single key,for example my database column are :

kodeDosen(PrimaryKey),namaDosen,email,telepon,password

and my login screen the user can only input kodeDosen and password,and i want to show the other data exept password,this is my register php:

<?php 
    include 'connectdb.php';

    $data = json_decode(file_get_contents('php://input'), true);

    $kodeDosen =$data["kodeDosen"];
    $namaDosen  = $data["namaDosen"];
    $email = $data["email"];
    $telepon = $data["telepon"];
    $password= $data["password"];

    $message = array("message"=>"Success");
    $failure = array("message"=>"Failure,kodeDosen already used");

    $sql = "INSERT INTO tbl_dosen (kodeDosen, namaDosen, email, telepon, password) VALUES ('$kodeDosen', '$namaDosen', '$email', '$telepon','$password')";



    if (mysqli_query($conn, $sql)) {
        echo json_encode($message);
    } else {
        echo json_encode($failure) ;
    }

?>

and this is my login php:

    <?php 
    include 'connectdb.php';

    $data = json_decode(file_get_contents('php://input'), true);

    $kodeDosen =$data["kodeDosen"];
    $password = $data["password"];

    $message = array("message"=>"Data found");
    $failure = array("mesage"=>"Data not found");

    if ($stmt = mysqli_prepare($conn, "SELECT kodeDosen, namaDosen, email, telepon FROM tbl_dosen WHERE kodeDosen =? and password = ?")) {

       /* bind parameters for markers */
       mysqli_stmt_bind_param($stmt, "ss", $kodeDosen,$password);

       /* execute query */
       mysqli_stmt_execute($stmt);

       /* store result */
       mysqli_stmt_store_result($stmt);

       if(mysqli_stmt_num_rows($stmt) > 0) {
          echo json_encode($row);
       }else {
          echo json_encode($failure);
       }

    }

?>

Answer 1

It's not a good idea to insert a variable directly into an SQL query because of SQL injection.

I would suggest to use prepared statements on both of the queries. To pull the result from the db with prepared statements it's something like:

OOP style:

$stmt = $db->prepare("SELECT kodeDosen, namaDosen, email, telepon FROM tbl_dosen WHERE kodeDosen = ? and password = ?");
$stmt->bind_param('ss', $kodeDosen, $password);
$stmt->execute();

$result = $stmt->get_result();

while ($row = $result->fetch_assoc()) {
        //result is in row
        var_dump($row);
}

Procedural style:

$stmt = mysqli_prepare($conn, "SELECT kodeDosen, namaDosen, email, telepon FROM tbl_dosen WHERE kodeDosen = ? and password = ?");
mysqli_stmt_bind_param($stmt, 'ss', $kodeDosen, $password);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);

while ($row = $result->fetch_assoc()) {
        //result is in row
        var_dump($row);
}

Answer 2

You can change in sql SELECT statement in login.php

$sql = "SELECT kodeDosen, namaDosen, email, telepon FROM tbl_dosen WHERE kodeDosen ='$kodeDosen' and password = '$password'";

in SELECT * means return all columns.

Answer 3

I think you want echo json_encode($row); rather than echo json_encode($message);

Try:

<?php 
    include 'connectdb.php';

    $data = json_decode(file_get_contents('php://input'), true);

    $kodeDosen =$data["kodeDosen"];
    $password = $data["password"];

    $message = array("message"=>"Data found");
    $failure = array("mesage"=>"Data not found");

    if ($stmt = mysqli_prepare($conn, "SELECT kodeDosen, namaDosen, email, telepon FROM tbl_dosen WHERE kodeDosen =? and password = ?")) {

       /* bind parameters for markers */
       mysqli_stmt_bind_param($stmt, "ss", $kodeDosen,$password);

       /* execute query */
       mysqli_stmt_execute($stmt);

       /* store result */
       $result = mysqli_stmt_get_result($stmt);
       $row = mysqli_fetch_assoc( $result );

       if(mysqli_num_rows($result) > 0) {
          echo json_encode($row);
       }else {
          echo json_encode($failure);
       }

    }

?>