-1

I need a little bit of your help with if statements in PHP , as I am new to it

First of all I have this query:

$sqlCmd = "SELECT user.name,user.level 
    FROM user.user 
    WHERE user.id = '".$_GET['char']."' 
    LIMIT 1";

and now I have this second query

visible $sqlUpdate = "UPDATE user.user 
    SET level='1' 
    WHERE id='".$_GET['char']."' 
    LIMIT 1";

What I want to do is something like this : if level>1 run the $sqlUpdate, else print an error .

Cœur
  • 37,241
  • 25
  • 195
  • 267
user1638487
  • 63
  • 8

6 Answers6

1

Try like this

visible $sqlUpdate = "UPDATE user.user 
                      SET level='1' 
                      WHERE id='".mysql_real_escape_string($_GET['char'])."' 
                      AND level >1 
                      LIMIT 1";

refer this links they may help you to learning http://sqlzoo.net/ ,http://beginner-sql-tutorial.com/sql.htm

GautamD31
  • 28,552
  • 10
  • 64
  • 85
  • I haven't downvote this. But I think you have given `w3schools` link for reference and because of that someone has downvote you. – Yogesh Suthar Mar 21 '13 at 04:26
  • I dont know why but in my case I have started with w3schools...at begining I thought its better lateron you can go through http://sqlzoo.net/ – GautamD31 Mar 21 '13 at 04:27
  • Nowadays `w3schools` example and code are not proper,they contains lots of mistakes in it and because of that community don't want to give its link for reference. Anyways just remove its link. – Yogesh Suthar Mar 21 '13 at 04:29
  • Ok now I think there is no reason to downvote for my CORRECT answer – GautamD31 Mar 21 '13 at 04:31
1
visible $sqlUpdate = "UPDATE user.user SET level='1' WHERE id='".mysql_real_escape_string($_GET['char'])."' AND level >1 LIMIT 1";

your code is vulnerable to sql injection you need to escape all request properly

Warning

your code is vulnerable to sql injection you need to escape all get, post and request and the better approach will be using Prepared statement

Good Read

  1. How to prevent SQL injection in PHP?
  2. Are PDO prepared statements sufficient to prevent SQL injection?

Note

  1. The entire ext/mysql PHP extension, which provides all functions named with the prefix mysql_, is officially deprecated as of PHP v5.5.0 and will be removed in the future. So use either PDO or MySQLi

Good read

  1. The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead
  2. PDO Tutorial for MySQL Developers
  3. Pdo Tutorial For Beginners
Community
  • 1
  • 1
NullPoiиteя
  • 56,591
  • 22
  • 125
  • 143
0
$sqlCmd = "SELECT user.name,user.level FROM user.user WHERE user.id = '".$_GET['char']."' AND level>1 LIMIT 1";
if(mysql_num_rows($mysql_con)===1){
//run second query
}else{echo'error:'}
JJJ
  • 490
  • 4
  • 9
0

I think this should do it... 

$result = mysql_query($sqlCmd);
if($row = mysql_fetch_object($result)) {
    if ($row->level > 1)
    {
      mysql_query($sqlUpdate);
      //Might want to add a check here if it was successful... 
      echo "Done";
    }
    else
      echo 'error!!!';

}
mysql_free_result($result);
Borik
  • 438
  • 3
  • 9
  • That's what I was looking for , thanks! Now I am trying to add and "correct" msg to the code like "done" , I've tried to add an echo before "mysql_query($sqlUpdate);" , but does not work , any idea? – user1638487 Mar 21 '13 at 04:38
  • did you add appropriate brasses to code? My **if** statement contains only one line, that why i didn't need them before – Borik Mar 21 '13 at 04:44
  • I updated the code, let me know if that what you wanted to accomplish. – Borik Mar 21 '13 at 04:52
  • Nice , thanks again , now i'd like to add another check in the if . I have tried this : if ($row->level > 249 & $row->power!=0) But does not work , can you help me again? – user1638487 Mar 21 '13 at 05:10
  • Try using **&&** instead of **&** – Borik Mar 21 '13 at 12:40
0

Try this 

$sqlCmd = "SELECT user.name,user.level 
FROM user.user 
WHERE user.id = '".$_GET['char']."' 
LIMIT 1";

$resource = mysql_query($sqlCmd);
$temp_arr = mysql_fetch_assoc($resource);
$level    = $temp_arr['level'];
if($level > 1)
{
    $sqlUpdate = "UPDATE user.user 
    SET level='1' 
    WHERE id='".mysql_real_escape_string($_GET['char'])."' 
    LIMIT 1";

    mysql_query($sqlUpdate);
 }
alwaysLearn
  • 6,882
  • 7
  • 39
  • 67
-1
    mysql_query("UPDATE user.user SET level='1' WHERE id='".$_GET['char']."' and level>1 LIMIT 1");
Suyash
  • 625
  • 1
  • 5
  • 22