Why does this if statement not work?

**UOT_Ste** · Mar 6, 2005, 03:33

I've had help with this part of my site on here before. I could get it working without errors but it isn't executing the if statements right and isn't doing the most important thing which is to display a password after the user gives a correct answer their question. I've left it the last few days and built other parts of my site, went back to this this morning and still no joy.

PHP Code:


<?php

include('connect.inc');

$band=$HTTP_POST_VARS['band'];



//Gets the band name out of the form



$sql1 = "select band_name from band where band_name='$band'";

$result = mysql_query($sql1); 



if (mysql_num_rows($result) > 0 )

{ 



//Get the passowrd question out of the database    

 

    $sql = " 

        SELECT band.band_ID, user.password_question 

        FROM band INNER JOIN user 

        ON band.band_ID=user.band_ID 

        WHERE band.band_name='$band' 

        "; 

        

    $idresult = mysql_query($sql);

    $select_result = mysql_fetch_array($idresult);

?>    

     <table width="100%" height="93" border="0">

        <tr>

          <td><p>&nbsp;</p>



//Display password question and new form to enter answer into



<?php

    echo '<strong>Your question is - </strong>';

    echo $select_result['password_question'];

    echo '<p></p>';

    echo '<strong>Enter your answer below:</strong>';

?>

        <form action="<?=$_SERVER['PHP_SELF']?>" method="post">

        <strong> 

        <input type="text" name="answer" style="width: 175px">

        <p></p>

<p></p>

<input type="submit" name="submit_band_name" value="Go" /></td>

</strong> </td>



        

        <td>&nbsp;</td>

        </form></table>

<?php

    

//check to see if the question and answer match up



$answer=$HTTP_POST_VARS['answer'];

    $sql4 = "select * from user where password_question='".$_POST['question']."' 

             and answer='".$_POST['answer']."'"; 

         

    $sqlresult = mysql_query($sql4); 

    

//start another if function (still in the same outer if clause). If there is a match then give htem their password.

    

    if (mysql_num_rows($sqlresult) > 0 )

    { 



        $sql5="    SELECT * FROM user WHERE answer='".$_POST['answer']."'";

        $answer_query = mysql_query($sql5);

        $password= mysql_fetch_array($answer_query);

        

        echo'Your password is';

        echo $password['password'];

    }

    

//if not display the below message.



    else

    {

        echo'You entered an incorrect answer to the question, unable to give you your password!';

    }

} 



//If the first if function was not satisfied print display belwo text.



else

{

    echo'<div align="center"><b>Your band name was not found in the database.</b></div>'; 

}

**Dean C** · Mar 6, 2005, 07:21

I'm in a rush to go out so I haven't got time to look through your entire code. But I noticed that you have not cleansed the incoming post variable. First of all you should be using:

PHP Code:


$band = $_POST['band'];

Instead of:

PHP Code:


$band = $HTTP_POST_VARS['band'];

Superglobals are now the standard as opposed to the old PHP3 variables. If your host is using such an old version then I'd reccomend moving to a new one

Secondly, cleanse all your incoming variables. For example I could match any condition on your page by entering this into your form: ' OR ''='

In this example you'll be safe just adding slashes to the answer in your database, and also adding slashes to the incoming $_POST variables.

Cheers,
- Dean

**someonewhois** · Mar 6, 2005, 08:46

Originally Posted by Dean C

Superglobals are now the standard as opposed to the old PHP3 variables. If your host is using such an old version then I'd reccomend moving to a new one

IIRC, safemode doesn't have superglobals, so you need to use the $HTTP_POST_VARS garbage. Most public PHP apps use it just to support safe mode (and they don't even support PHP 3), from what I've seen.

Anyway, change:

PHP Code:


$sql1 = "select band_name from band where band_name='$band'"; 
 $result = mysql_query($sql1);

To:

PHP Code:


$sql1 = "select band_name from band where band_name='$band'"; 
 echo $sql.'<br/><br/>';
 $result = mysql_query($sql1) or die(mysql_error());

And let us know what it says.

**Dean C** · Mar 6, 2005, 08:51

Originally Posted by someonewhois

IIRC, safemode doesn't have superglobals, so you need to use the $HTTP_POST_VARS garbage. Most public PHP apps use it just to support safe mode (and they don't even support PHP 3), from what I've seen.

I just wang this at the top of all my files, and why would anyone use PHP in safe mode?

PHP Code:


if(PHP_VERSION < '4.1.0')

{

    $_POST = &$HTTP_POST_VARS;

    $_GET = &$HTTP_GET_VARS;

    $_SERVER = &$HTTP_SERVER_VARS;

    $_ENV = &$HTTP_ENV_VARS;

    $_FILES = &$HTTP_POST_FILES;

    $_COOKIE = &$HTTP_COOKIE_VARS;

    $_REQUEST = array_merge($_POST, $_GET, $_COOKIE);

}