page will not die() if the person is banned php mysql

Question

<?php
include('session.php');
?>
<?php 
require_once('mysql_connect.php');
$query2 ="SELECT  id, username, banned FROM login WHERE username ='$login_session'";
$result2 = mysql_query($query2) OR die($mysql_error());
$row = mysql_num_rows($result2);

if($row['banned'] == 1) {
die();
}

?>

Session.php

<?php
// Establishing Connection with Server by passing server_name, user_id and password as a parameter
$connection = mysql_connect("localhost", "", "");
// Selecting Database
$db = mysql_select_db("", $connection);
session_start();// Starting Session
// Storing Session
$user_check=$_SESSION['login_user'];
// SQL Query To Fetch Complete Information Of User
$ses_sql=mysql_query("select username from login where username='$user_check'", $connection);
$row = mysql_fetch_assoc($ses_sql);
$login_session =$row['username'];
if(!isset($login_session)){
mysql_close($connection); // Closing Connection
header('Location: login.php'); // Redirecting To Home Page
}
?>

As you can see , im trying to stop people who are banned from loading profile.php

it doesnt stop the profile page from loading

so, where is `$login_session` being defined and how? this tells me you're probably using sessions. You're also using the wrong function for `$row`. Either use one that will fetch a row as an array, or change `if($row['banned'] == 1)` to `if($row == 1)` — Funk Forty Niner, Jun 09 '15 at 02:35
If you had turned on error reporting you would see that `$row` is a number, not an array. You are treating it as an array and so it is not working as you expect. (Basically, what @Fred-ii- said - he beat me to it.) — elixenide, Jun 09 '15 at 02:36
Do you have a pre-set variable on the top of your given code? I assume that is a session variable that goes something like `session_start(); $login_session = $_SESSION["username"];` — Logan Wayne, Jun 09 '15 at 02:37
Please don't use `mysql_` functions. Migrate to MySQLi or PDO (best) — Rob W, Jun 09 '15 at 02:47

score 3 · Accepted Answer · edited Jun 20 '20 at 09:12

3

thanks fred, that worked – KIXEYE

make it to an answer, ill mark as answered as soon as i can – KIXEYE

As per the OP's wish:

You're using the wrong function for $row. Either use one that will fetch a row as an array, or change if($row['banned'] == 1) to if($row == 1) to work with mysql_num_rows.

Footnotes:

Your present code is open to SQL injection. Use mysqli with prepared statements, or PDO with prepared statements, they're much safer.

Example pulled from https://stackoverflow.com/a/6620252/

$user = "bob";
$user = mysql_real_escape_string($user);
$result = mysql_query("SELECT COUNT(*) AS num_rows FROM my_table WHERE username='{$user}' LIMIT 1;");
$row = mysql_fetch_array($result);
if($row["num_rows"] > 0){
   //user exists
}

Edit:

If your banned row contains 1 or 0 to check if they're banned, then add another parameter to your where clause. I.e.: WHERE username ='$login_session' AND banned !=1 if banned column is an int type. If not, wrap 1 in quotes.

This translates to WHERE username exists and is 'John' and banned does NOT equal 1. Or make it 0, it's your choice.

edited Jun 20 '20 at 09:12

Community

1
1

answered Jun 09 '15 at 02:42

Funk Forty Niner

74,450
15
68
141

I just tried the answer you gave to me a moment ago uptop, now it shows the banned page even if your not banned. This is what i tried. `` Banned.php ` ` – KIXEYE Jun 09 '15 at 02:46
@KIXEYE which piece of code in your question is `profile.php` the first one? What you should be doing then, is checking to see if the session is set in the page you want to protect. I.e.: `if(isset($_SESSION['login_user'])){ do something } else { do something else }`. All pages must contain that conditional statement which is best. But for the protected page mostly. – Funk Forty Niner Jun 09 '15 at 02:50
the session has to be set, otherwise profile.php redirects you back to login page. – KIXEYE Jun 09 '15 at 02:53
@KIXEYE worked fine for me. I logged out and tried to reload profile.php and was not able to see the information I saw once logged in. I got ridirected to http://rs-list.com/login.php automatically because I wasn't signed in. – Funk Forty Niner Jun 09 '15 at 02:56
@KIXEYE now I just did it again and I now see `banned`. so something looks like it kicked in. Edit: now was able to see the content when I reloaded profile.php – Funk Forty Niner Jun 09 '15 at 02:58
displays as banned even tho the account has banned == 0 in the database edit: Banned located to left corner of site – KIXEYE Jun 09 '15 at 03:00
@KIXEYE are you using `if($row == 1)` or `if($row == 0)`? you wrote `even tho the account has banned == 0` try using `if($row >0 )` instead. – Funk Forty Niner Jun 09 '15 at 03:04
@KIXEYE if you're getting a "banned" echo'd message on top left (was black, hard for me to see it), then whatever content you're using for that page, isn't inside the right conditional statement. I don't think you showed us the full or more code that we need. Does your question contain code for `profile.php`? that's unclear. If session is set, show something, else show them something else, or "include" something else. – Funk Forty Niner Jun 09 '15 at 03:07
still says banned. Ill explain what im trying to do here, If the username logged in , has "1" instead of "0" in the banned my strutcue = id, username,avatar,banned . if the user is banned, echo banned die page. – KIXEYE Jun 09 '15 at 03:07
will post it on pastebin so u can see full code Profile.php http://pastebin.com/SCJeT4Um session.php http://pastebin.com/geMGyTeQ – KIXEYE Jun 09 '15 at 03:08
@KIXEYE if your `banned` row contains `1` or `0` to check if they're banned, then add another parameter to your `where` clause. I.e.: `WHERE username ='$login_session' AND banned !=1` if banned column in an `int` type. If not, wrap `1` in quotes. This say WHERE username='John' and does NOT equal 1. Or make it `0`, your choice. – Funk Forty Niner Jun 09 '15 at 03:10
@KIXEYE and the pastebin file contains `if($num == 1) { include 'banned.php'; } ` I don't see `die()` or anything else to stop the process. You can also use a header redirect instead, if banned, rather than show page content and redirect them to `login.php` instead. and add `exit;` after the header to prevent further execution of code that may be below that. Edit: Saw your new comment, you're welcome. Will add that to my answer. – Funk Forty Niner Jun 09 '15 at 03:14

score 2 · Answer 2 · edited May 23 '17 at 12:05

Then why don't you just fetch user who are not banned:

$ses_sql = mysql_query("SELECT username FROM login WHERE username='$user_check' AND banned <> 1",$connection);
$numofresult = mysql_num_rows($ses_sql);

Then check if it has a result:

if($numofresult > 0){
   /* SUCCESS */
}
else {
   /* BANNED */
}

To compromise SQL injections, use mysql_real_escape_string() function.

$user = mysql_real_escape_string($username,$connection);

But a better recommendation is to use mysqli_* prepared statement or PDO.

if($stmt = $connection->prepare("SELECT username FROM login WHERE username='$user_check' AND banned <> 1")){
  $stmt->execute();
  $stmt->store_result();
  $numofresult = $stmt->num_rows;
  $stmt->close();
}

@HalfCrazed - it is because the OP uses `mysql_*` – Logan Wayne Jun 09 '15 at 02:50 — Logan Wayne, Jun 09 '15 at 02:50

score -1 · Answer 3 · answered Jun 09 '15 at 02:40

-1

mysql_num_rows() returns a number of rows, not the rows themselves.

You should use mysql_fetch_assoc() or similar function.

answered Jun 09 '15 at 02:40

Evgeniy Chekan

2,615
1
15
23

No, you should not use any `mysql_*` functions. – Rob W Jun 09 '15 at 02:46
@Half Crazed I did not say *must*, did I? Those are deprecated at 5.5, and will be removed in future, go hate somewhere else (oh, do you downvote OP as well?). – Evgeniy Chekan Jun 09 '15 at 02:51

page will not die() if the person is banned php mysql

3 Answers3