0

so I am currently making a site where it needs to connect to my database when they login. on login, it retrieves the users ID. But I got the code working, no errors, but when I looked in my database, it got a random number for the ID and stored that. So what am I doing wrong?

<?php
require 'steamauth/steamauth.php';

if(!isset($_SESSION['steamid'])) {

$username = "Unknown";
$avatar = "defaultUser";
$accid = "Unknown";

$avatarSmall = "smallUser"; //For Dashboard

} else {

include ('steamauth/userInfo.php');

$username = &$steamprofile['personaname'];
$avatar = &$steamprofile['avatarmedium'];
$accid = &$steamprofile['steamid'];

$avatarSmall = &$steamprofile['avatar']; //For Dashboard

include('connect-mysql.php');

if(!$dbcon){
    die('Database Failed To Connect.');
}else{
    $checkUserID = mysqli_query($dbcon, "SELECT userID from userData WHERE userID = '&$accid'");
        if(!$checkUserID){
            die('Server Failed To Respond.');
        }else{
            if(mysqli_num_rows($checkUserID) > 0) {
                $getCredits =mysqli_query($dbcon, "SELECT userCredits from userData WHERE userID = '&$accid'");
            }else{
                $sqlinsert = "INSERT INTO userData (userID, userCredits) VALUES ('&$accid', '0')";
                if(!mysqli_query($dbcon, $sqlinsert)){
                    die('Server Failed To Respond To Query.');
                }
            }
        }
    }  
}



?>

But its strange because when I use $accid in my html code, it displays the correct number.

Any ideas?

Thanks,

Matt

Matt142
  • 23
  • 7
  • 2
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jul 13 '16 at 16:34
  • Remove all those ampersands (`&` make me nervous). Do you really need them? – Jose Manuel Abarca Rodríguez Jul 13 '16 at 16:45
  • They are there due to the variable not being updated after logging in. – Matt142 Jul 13 '16 at 17:00
  • Insert `echo $accid; exit;` **after** `$accid = &$steamprofile['steamid'];`. Tell me what value you see on screen. Notice `echo $accid` doesn't have ampersand (but you can try with ampersand, too). – Jose Manuel Abarca Rodríguez Jul 13 '16 at 17:32
  • 1
    We have plenty of ideas. However, this is not a do-Matt's-homework-for-him service. – Bruce David Wilner Jul 13 '16 at 18:03
  • $accid returns 76561198076071015 which is correct – Matt142 Jul 13 '16 at 18:17
  • I have attempted to use PDO, but I am receiving, Call to a member function prepare() on a non-object. Any reason why? Code: http://codepad.org/y3JHd7kz – Matt142 Jul 13 '16 at 19:49

0 Answers0