0

This is the code

<?php
include("global.php");

$username = mysql_real_escape_string(stripslashes($_POST["strUserName"]));
$password = md5(mysql_real_escape_string(stripslashes($_POST["strPassword"])));
$charid = mysql_real_escape_string(stripslashes($_POST["charid"]));
$quest = mysql_real_escape_string(stripslashes($_POST["strQuest"]));


$query = "SELECT * FROM wherei_users, wherei_characters WHERE wherei_users.username = '{$username}' AND wherei_users.password = '{$password}' AND wherei_characters.username =     '{$username}' AND wherei_characters.Id = '{$charid}'";
$result = mysql_query($query);
$yesorno = (mysql_num_rows($result) == 0) ? 'NO' : 'YES';


 if(empty($username) || empty($password) || empty($charid) || empty($quest) || $yesorno == "NO") {
$status="error";
$msg="InvalidData";
$actiontype="&actiontype=savequestdata";
$out=("$actiontype&status=$status&msg=$msg");
}

if ($yesorno = "YES") {
mysql_query("UPDATE wherei_characters SET strQuest = '{$quest}' WHERE username = '{$username}' AND id = '{$charid}'") or die(mysql_error());
$actiontype="&actiontype=savequestdata";
$status="success";
$out=("$actiontype&$status");
}

echo("$out");
?>

However, it always returns that the staus was success? When I go to my browser and just type the url, it returns this 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

And when I set the values wrong on purpose it returns that the status is succesfull, you see that if ether $username,$password,$charid,$questis empty or that $yesorno is NO then it should echo &actiontype=savequestdata&status=error&msg=InvalidData. No matter what I set the variables to, it returns `actiontype=savequestdata&sucess?

Adie
  • 11

1 Answers1

2

This is your issue: 

if ($yesorno = "YES") {

Spot it yet? .... ?

A single = in PHP is an assignment operator, so you are assigning the variable $yesorno to equal "YES", which in PHP (not all languages) will also run the IF and will equate to TRUE.

You need either:
== the comparison operator
or
=== the identical comparison operator.

Some unrelated, yet important, side notes on your code:

Depreciated Function
The mysql_ function is depreciated. You should consider looking into/learning/using Mysqli or PDO.

More info: How can I prevent SQL injection in PHP?

Validate and Sanitise
I see you use mysql_real_escape_string on the $_POST variables.
Make sure you are checking the variables before you pass the data onto the database stage.
The user could enter anything into the form, and as you are using mysql_ which is prone to injection attacks, you should be very careful.

What are the best PHP input sanitizing functions?

MD5
Even php.net, the developers OF PHP, state:

Note: Secure password hashing
It is not recommended to use this function to secure passwords, due to the fast nature of this hashing algorithm.

See here for why:
http://php.net/manual/en/faq.passwords.php#faq.passwords.fasthash

Community
  • 1
  • 1
James
  • 4,644
  • 5
  • 37
  • 48