There is an issue on my code PHP

Question

Hey I am having issues with my code, the user.title does not seem to be working right, the code is not passing my log in. Here is my code:

public function isGroupMember($id)
{
    global $conn;
    $sql = "SELECT user.title, Groups.* FROM user INNER JOIN Groups ON user.title = Groups.Group_ID
            WHERE 
            user_id='" . fixstr($this->user_id) . "'
            AND
            user.title='" . fixstr($db->mysql_escape($id)) . "'
            LIMIT 1
            ";
    if(getnum($sql) > 0) {
        return true;
    } else {
        return false;
    }
}

The way that the code was previously written:

user.title = '".$db->sql_escape($db->sql_escape($id))."'

Where it says user.title the code in parenthesis is set incorrectly the is no mysql_escape used in this code:

fixster code:

function fixstr($str){
    $str = trim($str);
    $str = str_replace("'", "''", $str);
    return $str;
}

getnum:

function getnum($sql)
{
    global $conn;

    $result1 = mysql_query($sql);

    if($result1){
        $row1 = mysql_fetch_array($result1);

        $num = $row1["num"];

        return $num;
    }
}

What would be the fix to my code?

I cant see any processing of your sql query, perhabs that is the issue? — JTC, Sep 18 '13 at 20:44
mysql_escape the should not be there is not being process by my code, maybe an addition would be what is missing in my fixster — Daniel Oviedomora, Sep 18 '13 at 20:45
Are you sure you have used the right conditions in **ON user.title = Groups.Group_ID** ? i guess groupid is not same as user title — M Khalid Junaid, Sep 18 '13 at 20:45
using mysql_* functions is deprecated, use PDO or mysqli and prepared statements. — OneOfOne, Sep 18 '13 at 20:48
The query does register used without a second sql_escape I am not sure how I would set up the second one — Daniel Oviedomora, Sep 18 '13 at 20:51

score 2 · Accepted Answer · answered Sep 18 '13 at 20:47

2

Please, make your life easier and don't reinvent the wheel. You could use PDO

answered Sep 18 '13 at 20:47

Maciej Gurban

5,615
4
40
55

Well, I am switching to pdo in a 500.000 lines code project ... and, I reinvent the wheel every 15mins ;) – djot Sep 18 '13 at 20:50
Don't comment with your other account. People will think you're upvoting yourself and you'll get banned. That aside, 500,000 lines of code is too much code. Wrong in so many ways. Are you writing procedural PHP3 style which requires a completely non-DRY approach or something? – AlienWebguy Sep 18 '13 at 20:53
Umm, are you addressing that to me? Because that's the only account I have here. – Maciej Gurban Sep 18 '13 at 20:55
No - to djot. Sounds like the OP accidentally commenting under the wrong account. – AlienWebguy Sep 18 '13 at 20:57

score 1 · Answer 2 · answered Sep 18 '13 at 20:54

1

In some db engines User - is protected SQL keyword.

answered Sep 18 '13 at 20:54

Serge Kvashnin

4,332
4
23
37

There is an issue on my code PHP

2 Answers2