-1

My issue I believe is fairly simple but after a whole day trying different variations I have resorted to bothering you guys, please excuse me if this has been covered but I could not find a close enough example

I have a php file that is a processing file for a simple html form

Process.php:

<?php
error_reporting(E_ALL); ini_set('display_errors', 1);
$host="1.2.3.4:3306"or die("wrong server");  // Host name 
$username="username"or die("wrong Username");  // Mysql username 
$password="password"or die("Wrong Password");  // Mysql password 
$db_name="db-name"or die("wrong DB");  // Database name 
$tbl_name="banned"or die("Wrong table");  // Table name 
$member = isset($_REQUEST['member']) ? $_REQUEST['member'] : "";

// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

$find_member = mysql_query("SELECT member FROM banned WHERE member='$member'")or 
die(mysql_error());
$ban = mysql_fetch_array($find_member);

if($member == $ban['member']){ 
echo ("this member is banned");
}
else {
echo ("<form method='post' action='http://example.com/access.php'>
<input type='text' style='display:none;' value='<?php echo
htmlspecialchars($member);?'/>'
<button type='submit'>Continue</button>");
}
?>

Form.html:

<form method="post" action="http://example.com/process.php">
<input type="text" name="member">
<input type="submit">
</form>

What im trying to accomplish:

A user would type their member number in the form.html and click submit, process.php will catch POST and either echo the text "this member is banned" or if member number is not on banned sql table, then display a html button with with a hidden input field that will carry the $member variable on to the next page

What is actually happening

no matter what number is entered into the form.html it always displays the html button. there is one number on the blacklist but when entered still displays the button

Error reporting

php and sql error reporting displays no errors

Side note DB structure

member VARCHAR(20) / id (auto increment) / Time (timestamp - defalt:current time stamp)

The member number is Alphanumeric and is max 15 characters example: +ayw7394

The initial error of using:

if($member = $ban['member']){

was replaced with:

if($member == $ban['member']){

but produces the opposite effect of echoing the "banned member" message regardless of which number is being inputed

It seems as though the

if  statements are being ignored

Can anyone please provide me with some advice?

thank you for your help so far

Bob Richards
  • 15
  • 4
  • if you echo the `$member` and the `$ban['member']` variable, are you getting the expected values? – JuanSedano Jan 16 '15 at 02:30
  • thank you very much for your input has made me realise one of my main faults was that it will never use the variable if I dont actually pass it on :) - which is included in the code above but not on my actual code online - top man thanks again for our help – Bob Richards Jan 16 '15 at 15:47

3 Answers3

2

"no matter what number is entered into the form.html it always displays the html button. there is one number on the blacklist but when entered still displays the button"

The reason being is this:

In this if($member = $ban['member']) you're assigning = instead of comparing == to compare $member against the "member" row.

Change that to if($member == $ban['member'])

Footnotes:

  • </input> isn't a valid closing tag and can be safely removed.

Edit:

Also this code block:

echo ("<form method='post' action='http://example.com/access.php'>
<input type='text' style='display:none;' value='<?php echo
htmlspecialchars($member);?'/>'
<button type='submit'>Continue</button>");

You're already in PHP, so there's no need for the <?php echo and ?>

Change it to:

echo ("<form method='post' action='http://example.com/access.php'>
<input type='text' value='".htmlspecialchars($member)."'/>
<button type='submit'>Continue</button>");

Which could explain why it shows "banned" because you're probably re-clicking on it after.

  • I suggest you just remove it and do a redirection instead.

Example, and by replacing it with the echo'd button:

else{
header("Location: your_form.html");
exit;
}
Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
  • thank you for your response, unfortunately I did try this earlier and it does the opposite and always echo's the banned message no matter what number is entered in he form, I keep just staring at it and seems to make sense but doesnt work. It seems like the if statements get ignored, any other suggestions will be much appreciated – Bob Richards Jan 16 '15 at 01:07
  • @BobRichards I'll have another closer look at it Bob. In the meantime, add error reporting to the top of your file(s) right after your opening ` – Funk Forty Niner Jan 16 '15 at 01:08
  • @BobRichards I had a look your code again but couldn't see why it's not working, so I'll setup a DB on my side and will let you know of my findings. I will keep you posted. I will be using `mysqli_` instead of `mysql_`. `mysql_` doesn't work on my server. – Funk Forty Niner Jan 16 '15 at 01:54
  • @BobRichards I've setup a DB and was successful, so I don't know where the problem is, but I can say it's on your side and somewhere in your DB. My table's row was `VARCHAR(50)` with names like "John" and "Johnny". While entering "John", it was TRUE. When entering "Johnn", it was FALSE. Make sure your input and DB row(s) do not contain spaces, since that will throw off the query. You say your row is Alphanumeric, meaning VARCHAR? – Funk Forty Niner Jan 16 '15 at 02:15
  • @BobRichards I also need to have an example of data you're querying. I.e.: `A123` or `A-123`, or `A.123`, or other. – Funk Forty Niner Jan 16 '15 at 02:33
  • hi ad thank you - the row is a VARCHAR(20) called "member" - I am still working on an automated member number so I am using a phone number e.g. +441234567891 - I have also tested with adding the name "john" to the table but still always the same - the structure of the table is member / id (auto increment) / time (timestamp, default:current time stamp) - currently holds only 2 rows "a phone number" and "john", all cells have entires – Bob Richards Jan 16 '15 at 02:49
  • @BobRichards You're welcome. The only other thing that comes to mind is that you're probably re-clicking on the button. Reload my answer and look under **Edit**, which I've added a possible explanation and some changes to the submit inside the `echo`. Other than that, I am unable to replicate the problem. My tests were conclusive and successful. However, you should just remove it altogether and redirect instead. It does pose a problem, which I am next to certain is the problem. Remove it. – Funk Forty Niner Jan 16 '15 at 03:34
  • First and foremost I am incredible grateful for your help and appreciate all your input and advice - mission accomplished after looking through your notes and changing the php variable on the button - my black list is now working and if on db will display "banned message" and if not passes on member number variable onto next form - thank you again its due to people like you that help us script kiddies get by :) – Bob Richards Jan 16 '15 at 15:42
  • Note: part of the syntax error on my code was rectified when cleaning personal info from code to paste on here and thanks to another member @JuanSedano to make me realise if I dont pass on the variable to the next page it will never be able to use it. nice one Fred – Bob Richards Jan 16 '15 at 15:43
1

Your problem is at the line

if($member = $ban['member']){

This is actually always true because you are setting $member to be equal to $ban['member']. Did you mean ?

if($member == $ban['member']){
Marco Aurélio Deleu
  • 4,279
  • 4
  • 35
  • 63
  • thank you, I have been trying various methods but unfortunately this produces the opposite effect and displays the "banned message" instead regardless of what is typed in the form the if statements dont seem to be executing- any help would be much appreciated – Bob Richards Jan 16 '15 at 02:58
0

Echo $member and $ban['member'] to see if they are the same or different value.

Another step, other than guarding against SQL injection like someone else said, would be to run TRIM commands on your input and on your MYSQL fields to ensure spaces aren't an issue.

Dwight Worley
  • 1
  • 1