mysql - Php + sql statement always returns successfull? -

-

this code

<?php include("global.php");  $username = mysql_real_escape_string(stripslashes($_post["strusername"])); $password = md5(mysql_real_escape_string(stripslashes($_post["strpassword"]))); $charid = mysql_real_escape_string(stripslashes($_post["charid"])); $quest = mysql_real_escape_string(stripslashes($_post["strquest"]));   $query = "select * wherei_users, wherei_characters wherei_users.username = '{$username}' , wherei_users.password = '{$password}' , wherei_characters.username =     '{$username}' , wherei_characters.id = '{$charid}'"; $result = mysql_query($query); $yesorno = (mysql_num_rows($result) == 0) ? 'no' : 'yes';    if(empty($username) || empty($password) || empty($charid) || empty($quest) || $yesorno == "no") { $status="error"; $msg="invaliddata"; $actiontype="&actiontype=savequestdata"; $out=("$actiontype&status=$status&msg=$msg"); }  if ($yesorno = "yes") { mysql_query("update wherei_characters set strquest = '{$quest}' username = '{$username}' , id = '{$charid}'") or die(mysql_error()); $actiontype="&actiontype=savequestdata"; $status="success"; $out=("$actiontype&$status"); }  echo("$out"); ?>

however, returns staus success? when go browser , type url, returns 

you have error in sql syntax; check manual corresponds mysql server version right syntax use near '' @ line 1

and when set values wrong on purpose returns status succesfull, see if ether $username,$password,$charid,$questis empty or $yesorno no should echo &actiontype=savequestdata&status=error&msg=invaliddata. no matter set variables to, returns `actiontype=savequestdata&sucess?

this issue: 

if ($yesorno = "yes") {

spot yet? .... ?

a single = in php assignment operator, assigning variable $yesorno equal "yes", in php (not languages) run if , equate true.

you need either:
== comparison operator
or
=== identical comparison operator.

some unrelated, yet important, side notes on code:

depreciated function
mysql_ function depreciated. should consider looking into/learning/using mysqli or pdo.

more info: how can prevent sql injection in php?

validate , sanitise
see use mysql_real_escape_string on $_post variables.
make sure checking variables before pass data onto database stage.
user enter form, , using mysql_ prone injection attacks, should careful.

what best php input sanitizing functions?

md5
php.net, developers of php, state:

note: secure password hashing
not recommended use function secure passwords, due fast nature of hashing algorithm.

see here why:
http://php.net/manual/en/faq.passwords.php#faq.passwords.fasthash


Comments

Post a Comment

Popular posts from this blog

ruby on rails - RuntimeError: Circular dependency detected while autoloading constant - ActiveAdmin.register Role -

-
i using activeadmin , have file doing this: activeadmin.register role something--- end however, server gives me error: runtimeerror: circular dependency detected while autoloading constant role /library/ruby/gems/2.0.0/gems/activesupport-4.0.10/lib/active_support/dependencies.rb:461:in `load_missing_constant' /library/ruby/gems/2.0.0/gems/activesupport-4.0.10/lib/active_support/dependencies.rb:184:in `const_missing' ~/desktop/boxfox/app/admin/role.rb:1:in `<top (required)>' /library/ruby/gems/2.0.0/gems/activesupport-4.0.10/lib/active_support/dependencies.rb:424:in `load' /library/ruby/gems/2.0.0/gems/activesupport-4.0.10/lib/active_support/dependencies.rb:424:in `block in load_file' /library/ruby/gems/2.0.0/gems/activesupport-4.0.10/lib/active_support/dependencies.rb:616:in `new_constants_in' /library/ruby/gems/2.0.0/gems/activesupport-4.0.10/lib/active_support/dependencies.rb:423:in `load_file' /library/ruby/gems/2.0.0/gems/activesuppor...
Read more

c++ - OpenMP unpredictable overhead -

-
i have simple openmp code runs 4 empty threads , reports time: #include "omp.h" #include <sys/time.h> #include <cstdio> double start_time; void process_thread() { } int main(){ struct timeval tv; gettimeofday(&tv, null); start_time = 1000*((double)tv.tv_sec + 1e-6*(double)tv.tv_usec); printf("beginning time: %.3fms ",start_time-start_time); #pragma omp parallel schedule(static,1) for(int i=0;i<4;i++) process_thread(); gettimeofday(&tv, null); double cur_time = 1000*((double)tv.tv_sec + 1e-6*(double)tv.tv_usec); printf("finishing time: %.3fms\n\n",cur_time-start_time); } without openmp running time small , consistent: beginning time: 0.000ms finishing time: 0.050ms beginning time: 0.000ms finishing time: 0.050ms beginning time: 0.000ms finishing time: 0.049ms beginning time: 0.000ms finishing time: 0.049ms beginning time: 0.000ms finishing time: 0.050ms beginnin...
Read more

django rest framework - DRF 3.0: UniqueTogetherValidator with a read-only field -

-
in process of upgrading django rest framework 3.0 2.4.4 , want have read-only user field, failing because 'user' being required uniquetogethervalidator (i think) i have model (excuse typos, simplified , code works fine irl): class examplemodel(models.model): some_attr = models.positivesmallintegerfield() other_attr = models.positivesmallintegerfield() user = models.foreignkey(user) class meta: unique_together = ('some_attr', 'other_attr', 'user') viewset: class exampleviewset(viewsets.modelviewset): queryset = examplemodel.objects.all() serializer_class = exampleserializer def perform_create(self, serializer): serializer.save(user=self.request.user) def perform_update(self, serializer): serializer.save(user=self.request.user) serializer: class exampleserializer(serializers.modelserializer): user = userserializer(read_only=true) class meta: model = examplemodel n...
Read more