Dorian Waite Dorian Waite - 2 years ago 82
PHP Question

My PHP code not running properly?

I'm having some issues here. I'm trying to make a query to get data from a website database, however the query returns no rows even though I know that they exist. The vars

are the username and hash code of each user, in this case my test user which is 'PixelKnight1398' and '1398' The cookies are saved as such. When I try to run the MySQL code in phpMyAdmin it works perfectly fine, but in this sense it doesn't work. I'm not sure what's going wrong if it's a syntax error or I am just stupid. Any help would be appreciated thanks in advance.

$uslog = cure($_COOKIE['userloggedin']);
$ushas = cure($_COOKIE['uservalue']);
function cure($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
$query = "SELECT friends FROM `memberHandler` WHERE `username`='$uslog' AND `hash`='$ushas'";
$result = mysqli_query($connect, $query);
if(mysqli_num_rows($result) != 1){
die("Could not find user match");

Answer Source

you need to be more security aware with your query and should be using bound variables with a PDO based query. You also need to have the variables as below - with concatentation and double quotes:

 $query = "SELECT friends FROM `memberHandler` WHERE `username`=' " . $uslog . " ' AND `hash`=' " . $ushas . " ' ";

and if you are using bound parameters it would be :

$query = "SELECT friends FROM `memberHandler` WHERE `username`=:uslog  AND `hash`= :ushas ";

and then you would bind the bound variables as (note the absence of other portions of code since the op does not use PDO)

$query -> bindValue(":uslog  " , $uslog  , PDO::PARAM_STR);
$query -> bindValue(":ushas" , $ushas, PDO::PARAM_STR);
Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download