Why does this if statement not work?

[UOT_Ste]

I've had help with this part of my site on here before. I could get it working without errors but it isn't executing the if statements right and isn't doing the most important thing which is to display a password after the user gives a correct answer their question. I've left it the last few days and built other parts of my site, went back to this this morning and still no joy.

PHP Code:

<?php
include('connect.inc');
$band=$HTTP_POST_VARS['band'];

//Gets the band name out of the form

$sql1 = "select band_name from band where band_name='$band'";
$result = mysql_query($sql1); 

if (mysql_num_rows($result) > 0 )
{ 

//Get the passowrd question out of the database    
 
    $sql = " 
        SELECT band.band_ID, user.password_question 
        FROM band INNER JOIN user 
        ON band.band_ID=user.band_ID 
        WHERE band.band_name='$band' 
        "; 
        
    $idresult = mysql_query($sql);
    $select_result = mysql_fetch_array($idresult);
?>    
     <table width="100%" height="93" border="0">
        <tr>
          <td><p>&nbsp;</p>

//Display password question and new form to enter answer into

<?php
    echo '<strong>Your question is - </strong>';
    echo $select_result['password_question'];
    echo '<p></p>';
    echo '<strong>Enter your answer below:</strong>';
?>
        <form action="<?=$_SERVER['PHP_SELF']?>" method="post">
        <strong> 
        <input type="text" name="answer" style="width: 175px">
        <p></p>
<p></p>
<input type="submit" name="submit_band_name" value="Go" /></td>
</strong> </td>

        
        <td>&nbsp;</td>
        </form></table>
<?php
    
//check to see if the question and answer match up

$answer=$HTTP_POST_VARS['answer'];
    $sql4 = "select * from user where password_question='".$_POST['question']."' 
             and answer='".$_POST['answer']."'"; 
         
    $sqlresult = mysql_query($sql4); 
    
//start another if function (still in the same outer if clause). If there is a match then give htem their password.
    
    if (mysql_num_rows($sqlresult) > 0 )
    { 

        $sql5="    SELECT * FROM user WHERE answer='".$_POST['answer']."'";
        $answer_query = mysql_query($sql5);
        $password= mysql_fetch_array($answer_query);
        
        echo'Your password is';
        echo $password['password'];
    }
    
//if not display the below message.

    else
    {
        echo'You entered an incorrect answer to the question, unable to give you your password!';
    }
} 

//If the first if function was not satisfied print display belwo text.

else
{
    echo'<div align="center"><b>Your band name was not found in the database.</b></div>'; 
}

[Dean C]

I'm in a rush to go out so I haven't got time to look through your entire code. But I noticed that you have not cleansed the incoming post variable. First of all you should be using:

PHP Code:

$band = $_POST['band']; 


Instead of:

PHP Code:

$band = $HTTP_POST_VARS['band']; 


Superglobals are now the standard as opposed to the old PHP3 variables. If your host is using such an old version then I'd reccomend moving to a new one

Secondly, cleanse all your incoming variables. For example I could match any condition on your page by entering this into your form: ' OR ''='

In this example you'll be safe just adding slashes to the answer in your database, and also adding slashes to the incoming $_POST variables.

Cheers,
- Dean

[someonewhois]

Superglobals are now the standard as opposed to the old PHP3 variables. If your host is using such an old version then I'd reccomend moving to a new one

IIRC, safemode doesn't have superglobals, so you need to use the $HTTP_POST_VARS garbage. Most public PHP apps use it just to support safe mode (and they don't even support PHP 3), from what I've seen.

Anyway, change:

PHP Code:

$sql1 = "select band_name from band where band_name='$band'"; 
 $result = mysql_query($sql1); 


To:

PHP Code:

$sql1 = "select band_name from band where band_name='$band'"; 
 echo $sql.'<br/><br/>';
 $result = mysql_query($sql1) or die(mysql_error()); 


And let us know what it says.

[Dean C]

IIRC, safemode doesn't have superglobals, so you need to use the $HTTP_POST_VARS garbage. Most public PHP apps use it just to support safe mode (and they don't even support PHP 3), from what I've seen.

I just wang this at the top of all my files, and why would anyone use PHP in safe mode?

PHP Code:

if(PHP_VERSION < '4.1.0')
{
    $_POST = &$HTTP_POST_VARS;
    $_GET = &$HTTP_GET_VARS;
    $_SERVER = &$HTTP_SERVER_VARS;
    $_ENV = &$HTTP_ENV_VARS;
    $_FILES = &$HTTP_POST_FILES;
    $_COOKIE = &$HTTP_COOKIE_VARS;
    $_REQUEST = array_merge($_POST, $_GET, $_COOKIE);
} 


[someonewhois]

why would anyone use PHP in safe mode?

I have absolutely no idea. Ask them. It's usually free hosts, but other than that I'm not sure. Apps like IPB (and I think vB) support safe mode still.

[HardCoded]

Safe mode has the superglobals, just FYI.