0

I am trying to retrieve client ip, page url and today's date and store it in my database. I have a table called pageviews with four parameters - "client-ip", "current-url", "current-date" and "viewcount". If there is no pageviews for today, it will create a row and store pageview for that particular day and if there is a count of pageviews, it will just update the pageviews only if the client ip is not the same as before.

But the problem is, this script is not working. Can anybody please tell me why? If possible, can you construct something better on this parameters. Any advice or solution will be highly appreciated.

Thank you.

$current_url = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";

$date = date('Y-m-d');

$client_ip = $_SERVER['REMOTE_ADDR'];

echo "$current_url, $date, $client_ip";

$recent = mysqli_query($con,"SELECT * FROM pageviews") 
 or die(mysqli_connect_errno());

while($info = mysqli_fetch_array( $recent )) 
{
   $date = $info['current-date'];
   $client_ip = $info['client_ip'];
   $current_url = $info['current-url'];
   $viewcount = $info['viewcount'];

if ($info=0) {
    mysqli_query($con,"INSERT INTO `pageviews` VALUES ('$date','$client_ip','$current_url','$viewcount')");
}
else {
    mysqli_query($con,"UPDATE `pageviews` SET `viewcount`=`viewcount`+1 WHERE current-date=$date AND current-ip not like $clinet-ip");
}

}
Natasha Kimberly
  • 1
  • if ($info=0) - this way you set $info=0. I think you have to use if (empty($info))... – bksi Sep 02 '14 at 17:37
  • 2
    Let's see... 1) Vulnerable to [SQL injection attacks](http://bobby-tables.com) 2) Simply assuming queries can never fail, so no checking return values. 3) SQL syntax errors by backtick-quoting every field EXCEPT the ones that would actually cause problems 4) Syntax errors caused by the sql injection vulnerabilities 5) sql syntax errors caused by using undefined PHP variables, due to typos in the variable names. – Marc B Sep 02 '14 at 17:37
  • @bksi, can you please show me an elaborate syntax? What should I replace it with? Thanks. – Natasha Kimberly Sep 02 '14 at 17:57
  • @MarcB can you please explain how this is vulnerable to SQL attacks and how can I prevent it? What should I do? Thanks. – Natasha Kimberly Sep 02 '14 at 17:58
  • You're presently assigning `if ($info=0)` do `if ($info==0)` to compare. You also need to quote `WHERE current-date=$date AND current-ip not like $clinet-ip` and a typo `$clinet-ip` – Funk Forty Niner Sep 02 '14 at 17:58
  • Fred, I just tried it. It's still not returning anything. Just blank. – Natasha Kimberly Sep 02 '14 at 18:00
  • http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Marc B Sep 02 '14 at 18:08
  • Thanks MarcB, But the user here is not inputting anything here. The script will run in the background during page load. Is it still vulnerable? Considering that the user will be unaware of this script. – Natasha Kimberly Sep 02 '14 at 18:10

0 Answers0