1

I have this script. Everything works fine except that the first "if" condition does not evaluate as expected because it does not echo out the code that proves that it evaluated properly.I have a page(index.php) containing a form with post action from where the $_POST['pincode'] is coming from. So when if($pincode !== $_POST['pincode']) evaluates to true, instead of header location to echo the error message and come back to index.php page, what happens is that it routes to my checkpin.php (this script) and stays there. NB: $_POST['pincode'] is a number input type in HTML.

$_SESSION['pincode']= $_POST['pincode'];

$conn = new mysqli("localhost","user","pass",'db');
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}
$sql = $conn->query("SELECT pincodex, pinmatch FROM voters_reg WHERE pincodex = '{$_SESSION['pincode']}'");
$row_count = $sql->num_rows;
if ($row_count == 1)
{
    while($row = $sql->fetch_assoc()){
        $pinmatch = $row['pinmatch'];
        $pincode = $row['pincodex'];

        if($pincode !== $_POST['pincode']){
            $_SESSION['error'] = "first error message";
            header('Location: index.php');
            exit();

        } elseif ($pinmatch == $_POST['pincode']){
            $_SESSION['error'] = "second error message";
            header('Location: index.php');
            exit();

        } else {
            $_SESSION['success'] = "success message";
            header('Location: pinsuccess.php');
            exit();
        }

    }
}
$conn->close();
Don't Panic
  • 41,125
  • 10
  • 61
  • 80
Gyne
  • 45
  • 7
  • please read about [SQL Injection](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php/60496#60496) – RiggsFolly Apr 18 '16 at 14:31
  • Are you sure you need to use `!==` and not `!=` instead ? (`!==` returns true if `$pincode` and `$_POST['pincode']` are different or from a different type, while `!=` return true if they are different without caring about their type) – Aurel Apr 18 '16 at 14:31
  • Theoretically, how could the value returned by your query ever be different from the value that was used as its criteria? – Don't Panic Apr 18 '16 at 14:50
  • @Aurel I have tried that too but it did not work either. – Gyne Apr 18 '16 at 15:26
  • @ Don't Panic I am comparing the value returned by my query with the value inputted by the user in the form. If they are different, then the first error message should display. – Gyne Apr 18 '16 at 15:30

2 Answers2

0

Logically, $pincode should never be able to be not equal to $_POST['pincode']. Consider the following steps:

  1. $_SESSION['pincode'] is set to $_POST['pincode'];

  2. Rows are selected from your database WHERE pincodex = '{$_SESSION['pincode']}'

    At this point, because of the WHERE clause, every row returned by your query will have pincodex == $_POST['pincode'].

  3. You set $pincode = $row['pincodex'];

    If there is a row, $row['pincodex'] will always equal $_POST['pincode'].

So, regardless of type checking, the condition if($pincode !== $_POST['pincode']){ can never evaluate to true, and your code will never enter that if block.

If a pincode is entered that is not found in your database, $sql->num_rows will return 0 and the code will not enter the if ($row_count == 1) block at all. I think this is most likely why your script is not redirecting as expected.

Don't Panic
  • 41,125
  • 10
  • 61
  • 80
  • Thank you Don't Panic. I have modified by testing the condition that will return no row first outside the while loop. – Gyne Apr 18 '16 at 16:58
-1

Try changing the if statement to if($pincode !== (int)$_POST['pincode']){

yk11
  • 768
  • 4
  • 9
  • 1
    Why should the OP "try this"? A **good answer** will always have an explanation of what was done and why it was done that way, not only for the OP but for future visitors to SO that may find this question and be reading your answer. – RiggsFolly Apr 18 '16 at 14:33
  • Since there was already a comment describing the issues with the various comparison operations but no actual code, I decided not to repeat it, just provide an actual code snippet for the OP to use. – yk11 Apr 18 '16 at 16:13