Dorian Waite Dorian Waite - 5 months ago 9
PHP Question

My PHP code not running properly?

I'm having some issues here. I'm trying to make a query to get data from a website database, however the query returns no rows even though I know that they exist. The vars

$uslog
and
$ushas
are the username and hash code of each user, in this case my test user which is 'PixelKnight1398' and '1398' The cookies are saved as such. When I try to run the MySQL code in phpMyAdmin it works perfectly fine, but in this sense it doesn't work. I'm not sure what's going wrong if it's a syntax error or I am just stupid. Any help would be appreciated thanks in advance.

$uslog = cure($_COOKIE['userloggedin']);
$ushas = cure($_COOKIE['uservalue']);
function cure($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
$query = "SELECT friends FROM `memberHandler` WHERE `username`='$uslog' AND `hash`='$ushas'";
$result = mysqli_query($connect, $query);
if(mysqli_num_rows($result) != 1){
die("Could not find user match");
}

Answer

you need to be more security aware with your query and should be using bound variables with a PDO based query. You also need to have the variables as below - with concatentation and double quotes:

 $query = "SELECT friends FROM `memberHandler` WHERE `username`=' " . $uslog . " ' AND `hash`=' " . $ushas . " ' ";

and if you are using bound parameters it would be :

$query = "SELECT friends FROM `memberHandler` WHERE `username`=:uslog  AND `hash`= :ushas ";

and then you would bind the bound variables as (note the absence of other portions of code since the op does not use PDO)

$query -> bindValue(":uslog  " , $uslog  , PDO::PARAM_STR);
$query -> bindValue(":ushas" , $ushas, PDO::PARAM_STR);
Comments