0

when insert data in a inbox and when it compare with mysql data with it will show error message. my dbcon.php file is

<?php
define('DB_server','localhost');
define('DB_user','root');
define('DB_pass','');
define('DB_Name','dbtuts');

class DB_con
{
 function __construct()
 {
 $con=mysql_connect(DB_server,DB_user,DB_pass) or die('connection problem'.mysql_error());
 mysql_select_db(DB_Name,$con);
 
 }
 
 public function comp($lnum)
 {
 $res = "SELECT * FROM users WHERE l_num= '".$_GET["$lnum"]."'";
 return $res;
 }
 
 
}
?>

here database table values f_num,l_num,sum and my compare.php file is

<?php
include_once 'dbcon.php';
$con=new DB_con();

if(isset($_POST['log']))
 {
 
 $lnum=$_POST['li_num'];
 $res=$con->comp($lnum);
 if($res){
 while($row = mysql_fetch_array($res)) {
 $num=$row['li_num'];
 
 ?>
 <script>
 
 alert("thnks for login")
 </script>
 <?php
 }
 }
  }
 ?>
<html>
 <head>
 <title>Enter customer value</title>
 </head>
 <body>
 <center>
  <form method="POST">
   <table align="center">
   <tr>
   <td><input type="text" name="fi_num" placeholder="enter value" required>   name</td>
   </tr>
   <tr>
   <td><input type="text" name="li_num" placeholder="enter extra">   password</td>
   </tr>
   <tr>
   <td><input type="text" name="sum" placeholder="enter sum">   sum</td>
   </tr>
   <tr>
   <td><button type="submit" name="log">login</button></td>
   </tr>
   </table>
  </form>
 </center>
 </body>
</html>

when i click login button two errors coming 

Notice: Undefined index in dbcon.php and
Warning: mysql_fetch_array() expects parameter 1 to be resource, string given in compare.php

any suggestion for this problem.it will help to me

ndm
  • 59,784
  • 9
  • 71
  • 110
nuwan siriwardhana
  • 21
  • 5
  • 1
    You need to use mysqli_* – Rafael Shkembi Jul 07 '16 at 15:04
  • what is the value of $lnum? – Rafael Shkembi Jul 07 '16 at 15:06
  • 1
    You're `POST`ing the form, yet `GET`ing the variable. That won't work. And switch to mysqli or PDO. mysql_* functions are deprecated, and removed as of PHP7. Both libraries will allow you to prevent SQL injection. – aynber Jul 07 '16 at 15:07
  • $lnum is my insert values – nuwan siriwardhana Jul 07 '16 at 15:22
  • Please dont use [the `mysql_` database extension](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php), it is deprecated (gone for ever in PHP7) Specially if you are just learning PHP, spend your energies learning the `PDO` database extensions. [Start here](http://php.net/manual/en/book.pdo.php) its really pretty easy – RiggsFolly Jul 07 '16 at 15:32
  • Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared statement and parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Jul 07 '16 at 15:32
  • thank you sir i will try for that – nuwan siriwardhana Jul 07 '16 at 15:43

1 Answers1

-2

Your comp function does not return a mysql result set, it is returning a string representing the select statement. You need to pass this string to mysql_query to return a result set.

Secondly, you are passing "comp" the value of $_POST[$li_num] and attempting to fetch the result of that from $_GET. Remove the $_GET from your comp function and use $lnum directly within it.

Obviously there are sql sanitation implications that need addressing as well.

public function comp($lnum)
{
  return mysql_query("SELECT * FROM users WHERE l_num= '" . mysql_real_escape_string($lnum) . "'");
}

You should probably research using mysqli as these functions are deprecated though.

Brandon Horsley
  • 7,956
  • 1
  • 29
  • 28
  • 2
    Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared statement and parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Jul 07 '16 at 15:32
  • thanks for quick response..sql sanitation implications is work for but stile there have problem .with Undefined index: li_num in compare.php – nuwan siriwardhana Jul 07 '16 at 15:39
  • Please update your question to have your updated code and error. – Brandon Horsley Jul 07 '16 at 15:50
  • The single quotes in the statement will protect from injection, I agree it is not the right way, but his question is asking about THIS method and that is what I'm answering. Obviously using deprecated functions is not the correct path. – Brandon Horsley Jul 07 '16 at 16:01