-1

I have a php code that updates the value in 2 tables and I used left join. It works but it keeps on skipping the first condition and always enters the second condition. I have no idea on mysql injection so please advice if my code is prone to mysql injection.

elseif ($_POST['check'])
{
    if ($row[typeofdog] = 'Labrador') 
    {
            $id = $_POST['data'];   
            $count = count($id);

        for($i=0;$i<$count;$i++)
            {

            $sql = "UPDATE animals LEFT JOIN treats ON animals.style = treats.style SET animals.bone = bone - treats.total, treats.status = 'Approved' WHERE treats.id='$id[$i]'"; 
            $result = mysql_query($sql);

            }

        if($result){header("location:login_success.php");}

    }
    else
    {
        $id = $_POST['data'];   
        $count = count($id);

        for($i=0;$i<$count;$i++)
            {

            $sql = "UPDATE animals LEFT JOIN treats ON animals.style = treats.style SET animals.chunks = chunks - treats.total, treats.status = 'Approved' WHERE treats.id='$id[$i]'"; 
            $result = mysql_query($sql);

            }

        if($result){header("location:login_success.php");}

    }
}
Roi patrick Florentino
  • 177
  • 1
  • 3
  • 13

1 Answers1

2

First, = is for assignment. == is for comparison.

Second, using the index typeofdog without quotes is incorrect. PHP explains why here.

Try this:

if ($row['typeofdog'] == 'Labrador')

If this doesn't work, then $row['typeofdog'] does not equal 'Labrador'. In that case, try echoing $row['typeofdog'] just before the conditional so you can see what is being compared.

Also, yes, you are at risk for sql injection. First step to fixing this: don't use mysql. Instead use mysqli or pdo and utilize prepared statements.

Community
  • 1
  • 1
Mark Miller
  • 7,442
  • 2
  • 16
  • 22