So I am working on converting an old tutorial I did a while back from mySQL to PDO. This way I can better understand the concepts. I seem to of run into a wall however. The following function is giving me an error
function user_data($user_id, $db) { $data = array(); $user_id = (int)$user_id; $func_num_args = func_num_args(); $func_get_args = func_get_args(); if($func_num_args > 1) { unset($func_get_args[0]); $fields = '`' . implode('`, `', $func_get_args) . '`'; // !! LINE 12 try { $sql = sprintf('SELECT %s FROM members WHERE id = ?', $fields); $stmt = $db->prepare($sql); $stmt->execute(array($user_id)); $data = $stmt->fetch(PDO::FETCH_ASSOC); return $data; } catch(PDOException $e) { die($e->getMessage()); } }}this is where I am calling the function
<?php session_start();require 'database/connect_db.php';require 'functions/users.php';if (signedIn() === true) { $session_id = $_SESSION['id']; $user_data = user_data($session_id, $db, 'email', 'password', 'role', 'name', 'company', 'title', 'phone', 'address', 'city', 'zip', 'state', 'ext', 'pic'); echo $user_data['name'];}?>this is my error
Catchable fatal error: Object of class PDO could not be converted to string in C:xampphtdocscorefunctionsusers.php on line 12So more specifically this line as commented on in the function above
$fields = '`' . implode('`, `', $func_get_args) . '`';I don’t see why this line is the causing this error. I also have no idea how to fix it. Any help is appreciated.
Advertisement
Answer
func_get_args() returns all the arguments of the function. You unset() the 0th element, but you have two elements you need to remove from the start of the args. I show an example below of using array_slice() to start with element 2.
Also, your function has a glaring SQL injection vulnerability, interpolating the list of column names directly into your SQL select-list. You should allowlist the input against a list of all the columns of your users table, to make sure the input doesn’t contain something you don’t expect.
function user_data($user_id, PDO $db) { // hardcoded list of the columns in the users table; use this as an allowlist $all_users_columns = array('first_name', 'last_name', 'email', /* etc. */); $columns = array_intersect(array_slice(func_get_args(), 2), $all_users_columns); if($columns) { $column_list = implode(",", array_map(function($col) { return "`$col`"; }, $columns)); try { $sql = sprintf('select %s from users where user_id = ?', $column_list); $stmt = $db->prepare($sql); $stmt->execute(array((int)$userid)); $data = $stmt->fetch(PDO::FETCH_ASSOC); return $data; } catch(PDOException $e) { die($e->getMessage()); } }}