this what i want to do please help
if(user enter pin){
select status from pins where pin = pin
if(status = "used" or pin is tied to a different ID other that the student ID entered){ echo " card used and buy new scratch card " header('Location: buypin.php');
} else{ header('Location: rightplace.php');
set the status of this pin to "used" and tie that very pin to the students ID }
}
OK, that sounds quite straightforward. What code do you have so far?
Just one concern, if the pins are meant for some kind of security, there may be an issue with telling someone that a pin is already being used.
They will know what someone else’s pin is, though they may not necessarily know who it belongs to, security has been compromised to a degree.
Is there a reason the pins must be unique?
the pin is for student to check to check there result.
if (!$error) {
$res=mysql_query("SELECT * from pin WHERE userid='$reg'");
$row=mysql_fetch_array($res);
$count = mysql_num_rows($res); // if regno correct it returns must be 1 row
if( $count == 1 && $row['userid']==$reg ) {
$pinid = $row['id'] ;
$check_hw = $row['hw'] ;
if ($check_hw <=4 ) {
$res=mysql_query("UPDATE pin SET userid='$reg',status='1',hw=hw+1 WHERE pin='$pin'");
$_SESSION['user'] = $row['userid'];
header("Location: access.php");
}
else {
$errMSG = "Card Limit Exceeded";
}
} else {
$errMSG = "Card Used By Another user Or Limit Exceeded";
}
STOP WHAT YOUR DOING!
Your code is dangerous, obsolete, and will not work at all in current Php. You need to use PDO with prepared statements.
please can you help me with the correct code. this what i want to do
if(user enter pin){
select status from pins where pin = pin
if(status = "used" or pin is tied to a different ID other that the student ID entered){
echo " and buy new scratch card angry "
header('Location: anywhere.php');
}
else{
header('Location: rightplace.php');
set the status of this pin to "used" and tie that very pin to the students ID
}
}
this is my new code. i want the user to use a pin for five times and this code is just allowing the user to use it once
$reg = trim($_POST['reg']);
$reg = strip_tags($reg);
$reg = htmlspecialchars($reg);
$pin = trim($_POST['pin']);
$pin = strip_tags($pin);
$pin = htmlspecialchars($pin);
if( isset($_POST['btn-signup']) ){
$res=mysql_query("SELECT status,userid FROM pin WHERE pin ='$pin'");
$row=mysql_fetch_array($res);
$status = $row['status'] ;
$check_id = $row['userid'];
if($check_id=$reg || $status=1){
$errMSG = "Card Used By Another user Or Limit Exceeded";
}
else{
$errMSG = "log";
}
}
?>
Apparently you don’t understand what dangerous and obsolete and wont work in current Php means. Every possible thing you could do wrong is in your code.
Here is a tutorial to get you on the right track. https://phpdelusions.net/pdo
i get your point but just need the correct code using this approach i will rewrite the code using PDO
I’m fine with my house burning. I want to see it burn to the ground first before I throw any water on it.
There’s nothing in your new code that looks to see how many times the PIN has been used, only whether it has been used.
Here is a big problem:
if($check_id=$reg || $status=1){
Have a read up on the difference between comparison and assignment operators. I presume it’s a typo as you’ve done it right in the earlier code.
The point everyone else is making is that you are using the old-style mysql_query() and other related functions, and they are not present in the current version of PHP. Lots of developers don’t use them any more, and have probably forgotten how they work in any detail, so it gets more difficult to offer support for obsolete functions.
Thanks… after reading all the suggestions i have decided to write the code with mysqli or PDO as suggested. A have also gotten a clue on how to condition my statement . i will post the working code when am done for any corrections. thanks alot
Couldn’t get along with pdo had to use mysqli… currently learning how to use pdo…
And here is my final working code…
if( isset($_POST[‘btn-signup’]) ){
$reg = trim($_POST['reg']);
$reg = strip_tags($reg);
$reg = htmlspecialchars($reg);
$pin = trim($_POST['pin']);
$pin = strip_tags($pin);
$pin = htmlspecialchars($pin);
$res=mysqli_query($con,"SELECT * FROM pin WHERE pin ='$pin'");
$row=mysqli_fetch_array($res);
$check_id = $row['userid'];
// checking if the column userid is empty
if ('' !== $row['userid']){
// if userid column is not empty,reg no is correct and limit more than 4
if ($row['userid']==$reg && $row['hw']<=4) {
$errMSG = "log";
}else {
$errMSG = " Card Used Or Limit Exceeded";
}
}else{
$errMSG = "log";
}
}
What for do you use this striptags and htmlentities stuff etc.? Do you expect the user to send this, or do you provide any information that includes HTML that is send back? If you want to be protected from a user faking the input, that’s the wrong method that not necessarily will remove every invalid character. As the manual states:
http://php.net/manual/de/mysqli.query.php
`query`
The query string.
Data inside the query should be properly escaped.
which leads you to the following function.
http://php.net/manual/de/mysqli.real-escape-string.php
But it’s easier to use Prepared Statements. With PDO it’s a simple task:
$pdo = new PDO('dsn, username etc.');
$select = $pdo->prepare("SELECT user, pin FROM pin WHERE pin = ?");
$select->execute([$pin]);
$pis = $select->fetchAll();
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.