SitePoint Sponsor |
|
User Tag List
Results 1 to 6 of 6
-
Mar 6, 2005, 03:33 #1
- Join Date
- Feb 2005
- Location
- God's Country (Middlesbrough to everyone else)
- Posts
- 46
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Why does this if statement not work?
I've had help with this part of my site on here before. I could get it working without errors but it isn't executing the if statements right and isn't doing the most important thing which is to display a password after the user gives a correct answer their question. I've left it the last few days and built other parts of my site, went back to this this morning and still no joy.
PHP Code:<?php
include('connect.inc');
$band=$HTTP_POST_VARS['band'];
//Gets the band name out of the form
$sql1 = "select band_name from band where band_name='$band'";
$result = mysql_query($sql1);
if (mysql_num_rows($result) > 0 )
{
//Get the passowrd question out of the database
$sql = "
SELECT band.band_ID, user.password_question
FROM band INNER JOIN user
ON band.band_ID=user.band_ID
WHERE band.band_name='$band'
";
$idresult = mysql_query($sql);
$select_result = mysql_fetch_array($idresult);
?>
<table width="100%" height="93" border="0">
<tr>
<td><p> </p>
//Display password question and new form to enter answer into
<?php
echo '<strong>Your question is - </strong>';
echo $select_result['password_question'];
echo '<p></p>';
echo '<strong>Enter your answer below:</strong>';
?>
<form action="<?=$_SERVER['PHP_SELF']?>" method="post">
<strong>
<input type="text" name="answer" style="width: 175px">
<p></p>
<p></p>
<input type="submit" name="submit_band_name" value="Go" /></td>
</strong> </td>
<td> </td>
</form></table>
<?php
//check to see if the question and answer match up
$answer=$HTTP_POST_VARS['answer'];
$sql4 = "select * from user where password_question='".$_POST['question']."'
and answer='".$_POST['answer']."'";
$sqlresult = mysql_query($sql4);
//start another if function (still in the same outer if clause). If there is a match then give htem their password.
if (mysql_num_rows($sqlresult) > 0 )
{
$sql5=" SELECT * FROM user WHERE answer='".$_POST['answer']."'";
$answer_query = mysql_query($sql5);
$password= mysql_fetch_array($answer_query);
echo'Your password is';
echo $password['password'];
}
//if not display the below message.
else
{
echo'You entered an incorrect answer to the question, unable to give you your password!';
}
}
//If the first if function was not satisfied print display belwo text.
else
{
echo'<div align="center"><b>Your band name was not found in the database.</b></div>';
}
-
Mar 6, 2005, 07:21 #2
- Join Date
- Mar 2003
- Location
- England, UK
- Posts
- 2,906
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
I'm in a rush to go out so I haven't got time to look through your entire code. But I noticed that you have not cleansed the incoming post variable. First of all you should be using:
PHP Code:$band = $_POST['band'];
PHP Code:$band = $HTTP_POST_VARS['band'];
Secondly, cleanse all your incoming variables. For example I could match any condition on your page by entering this into your form: ' OR ''='
In this example you'll be safe just adding slashes to the answer in your database, and also adding slashes to the incoming $_POST variables.
Cheers,
- Dean
-
Mar 6, 2005, 08:46 #3
- Join Date
- Jan 2002
- Location
- Canada
- Posts
- 6,364
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Originally Posted by Dean C
Anyway, change:
PHP Code:$sql1 = "select band_name from band where band_name='$band'";
$result = mysql_query($sql1);
PHP Code:$sql1 = "select band_name from band where band_name='$band'";
echo $sql.'<br/><br/>';
$result = mysql_query($sql1) or die(mysql_error());
- Nathan
-
Mar 6, 2005, 08:51 #4
- Join Date
- Mar 2003
- Location
- England, UK
- Posts
- 2,906
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Originally Posted by someonewhois
PHP Code:if(PHP_VERSION < '4.1.0')
{
$_POST = &$HTTP_POST_VARS;
$_GET = &$HTTP_GET_VARS;
$_SERVER = &$HTTP_SERVER_VARS;
$_ENV = &$HTTP_ENV_VARS;
$_FILES = &$HTTP_POST_FILES;
$_COOKIE = &$HTTP_COOKIE_VARS;
$_REQUEST = array_merge($_POST, $_GET, $_COOKIE);
}
-
Mar 6, 2005, 08:56 #5
- Join Date
- Jan 2002
- Location
- Canada
- Posts
- 6,364
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Originally Posted by Dean C
Ask them. It's usually free hosts, but other than that I'm not sure. Apps like IPB (and I think vB) support safe mode still.
- Nathan
-
Mar 6, 2005, 10:46 #6
- Join Date
- Nov 2004
- Location
- Parry Sound, ON
- Posts
- 725
- Mentioned
- 0 Post(s)
- Tagged
- 0 Thread(s)
Safe mode has the superglobals, just FYI.
Bookmarks