SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Enthusiast
    Join Date
    Feb 2005
    Location
    God's Country (Middlesbrough to everyone else)
    Posts
    46
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Why does this if statement not work?

    I've had help with this part of my site on here before. I could get it working without errors but it isn't executing the if statements right and isn't doing the most important thing which is to display a password after the user gives a correct answer their question. I've left it the last few days and built other parts of my site, went back to this this morning and still no joy.

    PHP Code:
    <?php
    include('connect.inc');
    $band=$HTTP_POST_VARS['band'];

    //Gets the band name out of the form

    $sql1 "select band_name from band where band_name='$band'";
    $result mysql_query($sql1); 

    if (
    mysql_num_rows($result) > )


    //Get the passowrd question out of the database    
     
        
    $sql 
            SELECT band.band_ID, user.password_question 
            FROM band INNER JOIN user 
            ON band.band_ID=user.band_ID 
            WHERE band.band_name='
    $band
            "

            
        
    $idresult mysql_query($sql);
        
    $select_result mysql_fetch_array($idresult);
    ?>    
         <table width="100%" height="93" border="0">
            <tr>
              <td><p>&nbsp;</p>

    //Display password question and new form to enter answer into

    <?php
        
    echo '<strong>Your question is - </strong>';
        echo 
    $select_result['password_question'];
        echo 
    '<p></p>';
        echo 
    '<strong>Enter your answer below:</strong>';
    ?>
            <form action="<?=$_SERVER['PHP_SELF']?>" method="post">
            <strong> 
            <input type="text" name="answer" style="width: 175px">
            <p></p>
    <p></p>
    <input type="submit" name="submit_band_name" value="Go" /></td>
    </strong> </td>

            
            <td>&nbsp;</td>
            </form></table>
    <?php
        
    //check to see if the question and answer match up

    $answer=$HTTP_POST_VARS['answer'];
        
    $sql4 "select * from user where password_question='".$_POST['question']."' 
                 and answer='"
    .$_POST['answer']."'"
             
        
    $sqlresult mysql_query($sql4); 
        
    //start another if function (still in the same outer if clause). If there is a match then give htem their password.
        
        
    if (mysql_num_rows($sqlresult) > )
        { 

            
    $sql5="    SELECT * FROM user WHERE answer='".$_POST['answer']."'";
            
    $answer_query mysql_query($sql5);
            
    $passwordmysql_fetch_array($answer_query);
            
            echo
    'Your password is';
            echo 
    $password['password'];
        }
        
    //if not display the below message.

        
    else
        {
            echo
    'You entered an incorrect answer to the question, unable to give you your password!';
        }


    //If the first if function was not satisfied print display belwo text.

    else
    {
        echo
    '<div align="center"><b>Your band name was not found in the database.</b></div>'
    }

  2. #2
    SitePoint Wizard Dean C's Avatar
    Join Date
    Mar 2003
    Location
    England, UK
    Posts
    2,906
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I'm in a rush to go out so I haven't got time to look through your entire code. But I noticed that you have not cleansed the incoming post variable. First of all you should be using:

    PHP Code:
    $band $_POST['band']; 
    Instead of:

    PHP Code:
    $band $HTTP_POST_VARS['band']; 
    Superglobals are now the standard as opposed to the old PHP3 variables. If your host is using such an old version then I'd reccomend moving to a new one

    Secondly, cleanse all your incoming variables. For example I could match any condition on your page by entering this into your form: ' OR ''='

    In this example you'll be safe just adding slashes to the answer in your database, and also adding slashes to the incoming $_POST variables.

    Cheers,
    - Dean

  3. #3
    SitePoint Wizard silver trophy someonewhois's Avatar
    Join Date
    Jan 2002
    Location
    Canada
    Posts
    6,364
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Dean C
    Superglobals are now the standard as opposed to the old PHP3 variables. If your host is using such an old version then I'd reccomend moving to a new one
    IIRC, safemode doesn't have superglobals, so you need to use the $HTTP_POST_VARS garbage. Most public PHP apps use it just to support safe mode (and they don't even support PHP 3), from what I've seen.

    Anyway, change:
    PHP Code:
    $sql1 "select band_name from band where band_name='$band'"
     
    $result mysql_query($sql1); 
    To:
    PHP Code:
    $sql1 "select band_name from band where band_name='$band'"
     echo 
    $sql.'<br/><br/>';
     
    $result mysql_query($sql1) or die(mysql_error()); 
    And let us know what it says.

  4. #4
    SitePoint Wizard Dean C's Avatar
    Join Date
    Mar 2003
    Location
    England, UK
    Posts
    2,906
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by someonewhois
    IIRC, safemode doesn't have superglobals, so you need to use the $HTTP_POST_VARS garbage. Most public PHP apps use it just to support safe mode (and they don't even support PHP 3), from what I've seen.
    I just wang this at the top of all my files, and why would anyone use PHP in safe mode?

    PHP Code:
    if(PHP_VERSION '4.1.0')
    {
        
    $_POST = &$HTTP_POST_VARS;
        
    $_GET = &$HTTP_GET_VARS;
        
    $_SERVER = &$HTTP_SERVER_VARS;
        
    $_ENV = &$HTTP_ENV_VARS;
        
    $_FILES = &$HTTP_POST_FILES;
        
    $_COOKIE = &$HTTP_COOKIE_VARS;
        
    $_REQUEST array_merge($_POST$_GET$_COOKIE);


  5. #5
    SitePoint Wizard silver trophy someonewhois's Avatar
    Join Date
    Jan 2002
    Location
    Canada
    Posts
    6,364
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Dean C
    why would anyone use PHP in safe mode?
    I have absolutely no idea. Ask them. It's usually free hosts, but other than that I'm not sure. Apps like IPB (and I think vB) support safe mode still.

  6. #6
    SitePoint Guru
    Join Date
    Nov 2004
    Location
    Parry Sound, ON
    Posts
    725
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Safe mode has the superglobals, just FYI.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •