If Else Statement Not Working - PHP

Question

I'm making a simple auction website and I'm trying to keep the user from bidding on an item if they are already the highest bidder. At the moment, however, my code still allows the highest bidder to continue bidding and I get an error saying that mysql_fetch_array() expects paramater 1 to be resource. Any idea where I'm going wrong? Here is my code:

<html>
<head></head>
<body>
<?php
session_start();
require_once("dbconnect.inc");

$accountid=$_SESSION['accountid'];
$itemid=$_POST['itemid'];

$result = mysql_query("SELECT accountid FROM bidhistory 
WHERE biditem = '$itemid' ORDER BY bidhistoryid DESC"); 

while($row = mysql_fetch_array($result)){ // 
  $checkaccountid = $row['accountid']; 


  if($checkaccountid == $accountid){ /* THEN COMPARE IT WITH THE CURRENT USER */
    echo "You are the highest bidder!"; 
  }
  else { // they can still bid
   $sql="INSERT INTO bidhistory (accountid, biditemid)
   VALUES ($accountid, $itemid)"; 

  mysql_query("
    UPDATE bidhistory
    SET bidprice = bidprice + 1
    WHERE biditemid = " .
    @mysql_escape_string($itemid));

  $result=mysql_query($sql) or die("Error in adding bid for item: ".mysql_error());

  }
}
echo "Bid accepted!";
?>
<p><a href="listbiditems.php">Back to auction</a></p>
</body>
</html>

Answer 1

Your query is incorrect for your first select.

biditem =

should be

biditemid

$result = mysql_query("SELECT accountid FROM bidhistory 
WHERE biditemid = '$itemid' ORDER BY bidhistoryid DESC");

You also are open to SQL injections with this code. User input and SQL queries should be separated. To do this use prepared statements. The mysql_ functions don't have support for this and are outdated. You should switch DB drivers either the PDO or mysqli should suffice.

One approach you could take is casting the itemid to an int (presuming it is an int).

$itemid= (int)$_POST['itemid'];

Then

$result = mysql_query("SELECT accountid FROM bidhistory 
WHERE biditemid = $itemid ORDER BY bidhistoryid DESC");

Additional information on injection prevention.

How can I prevent SQL injection in PHP?
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

An example using PDO and the query parameterized (http://php.net/manual/en/pdo.prepared-statements.php).

$parameterize = $dbh->prepare('SELECT accountid FROM bidhistory 
    WHERE biditemid = ? ORDER BY bidhistoryid DESC');
$parameterize->execute(array($itemid));

The ? here is a placeholder for the user provided value.

Answer 2

You need to check to confirm that $result contains a successful query result. If it failed it will be 'false' and your request to fetch the data will fail as reported.

Answer 3

The problem is not in if and else statement but in the query. If you see this error ("mysql_fetch_array() expects parameter 1") directly think about your query.

Before my answer I advise you to use mysqli not mysql, your query should be like this:

       $query="SELECT 'accountid' FROM `bidhistory` 
       WHERE 'biditem' = '".$itemid."' ORDER BY 'bidhistoryid' DESC"

Answer 4

From PHP documentation:

For SELECT, SHOW, DESCRIBE, EXPLAIN and other statements returning resultset, mysql_query() returns a resource on success, or FALSE on error.

Check your SQL query. There may be an error, or no matching data were found on the database.

Also, mysql_query is deprecated as of PHP 5.5.0, and will be removed in the future. You should start thinking about using mysqli_query or PDO.