0

I'm selecting data from my database, and still its saying I'm in the game. When I'm not, for which I check for.

Any clue how to solve this problem?

        $moneda = (CMS == 'uber' ? $users->GetUserVar(USER_ID, moneda) : $myrow[moneda]);
        $isonline = mysql_query("SELECT `online` FROM `users` WHERE `username` = ".$_POST['Naam']."");
        $error = array();
        if($isonline == 1)
                $error[] = "De ander moet uit het hotel gaan voordat je belpixels kunt overschrijven.";
Kevin Houghton
  • 45
  • 2
  • 10
  • 3
    Your code is vurnerable to SQL injections. Please fix that problem first. See [here](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) – juergen d Nov 12 '12 at 17:54
  • `$isonline` is getting the result set from your query - that will only be false if the SQL query fails. You need to get the output of the query with something like mysql_fetch_array first. – andrewsi Nov 12 '12 at 17:55
  • So how is the best way to secure it, I dont get the clue at the "see here" page. – Kevin Houghton Nov 12 '12 at 17:55
  • 2
    Not an answer to your question, but you should work on moving away from `mysql_*`, as they are being deprecitated by PHP. http://www.php.net/manual/en/faq.databases.php#faq.databases.mysql.deprecated http://www.php.net/manual/en/mysqlinfo.api.choosing.php – WhoaItsAFactorial Nov 12 '12 at 17:56
  • Use prepared statements by using PDO or mysqli. – juergen d Nov 12 '12 at 17:56
  • You really need to read up on [proper SQL escaping](http://bobby-tables.com/php) before you create a SQL injection that causes severe harm to your application. – tadman Nov 12 '12 at 20:13

2 Answers2

1
$isonline = mysql_query("SELECT `online` FROM `users` WHERE `username` =".$_POST['Naam']."");

$isonline is not your answer..dude it contains the result object, not the result.

$row=mysql_fetch_assoc($isonline);
if($row['online']==1){}

and use of mysql_query is long deprecated, switch to PDO

and

$isonline = mysql_query("SELECT online FROM ..

sql you never put quotations around column names...get rid of the ones around username too.and get one around the username value this one here:

$isonline = mysql_query("SELECT online FROM users WHERE username ='".$_POST['Naam']."'");
geekman
  • 2,224
  • 13
  • 17
0

mysql_query never returns a single user record; it returns a PHP resource, even if you know the SQL query will only ever return a single record.

In other words: $isonline is not the right name for that variable. Call it something like $online_query_results, then call

$user_record = mysql_fetch_array($online_query_results);

This will return the first (and in this case only) result row. Then, instead of testing $isonline, test

$user_record['online']
chapka
  • 490
  • 1
  • 3
  • 11
  • This isn't working either. It should return an error if the user is in the game, which it still doesn't when in the database online is set to 1. – Kevin Houghton Nov 12 '12 at 18:15
  • Can you put a logging statement into this code to see what is actually being returned from your db_query statement or from mysql_fetch_array? for example: 'printr($user_record)'? (Never use printr on a database record result on a live site; the output will include your database username and password). If the changes suggested aren't working, the most likely reason is because your database query is returning a nil or empty object. – chapka Nov 13 '12 at 12:48
  • Please post the actual query string you're using now. Does it work if you use this query string? --> `SELECT online FROM {users} WHERE username = {$_POST['Naam']}` – chapka Nov 13 '12 at 12:50