0

I have a Problem and I don't know how to solve it. I try to make a simple if statement with a php variable. The Variable contains a MySQL SELECT value.

$adminarray = $mysqli->query("SELECT admin FROM user WHERE name LIKE '$username'");

$currentuser = mysqli_fetch_row($adminarray);

$adm = $currentuser[0];


echo "<form action='?delete1' method='post' style='visibility:";if ($adm = 1){echo "block";}else{echo "hidden";}echo "'>

I try to hide the button for non admins ($adm = 0) but it is not working. The IF Statemant always returns a "true". even if $adm is 0.

I know the code isn't that good, but I'm still learning. So if you can give some tips :)

Thanks for answering

Nicolo Lüscher
  • 595
  • 7
  • 22
  • 3
    It's okay that you're still learning, but please try to ask questions clearly. I have no idea what you're asking. See [ask]. – ChrisGPT was on strike Dec 02 '16 at 13:43
  • @Chris there is no question asked, actually. He was just wanted some tips. – Naman Dec 02 '16 at 13:45
  • Possible duplicate of [The 3 different equals](http://stackoverflow.com/questions/2063480/the-3-different-equals) – chris85 Dec 02 '16 at 14:09
  • 1
    `if ($adm = 1)` is setting `$adm` to `1`, not comparing it. – chris85 Dec 02 '16 at 14:10
  • **WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](http://bobby-tables.com/). **NEVER** put `$_POST` or `$_GET` data directly into a query, it can be very harmful if someone seeks to exploit your mistake. – tadman Dec 02 '16 at 16:40

2 Answers2

3

Firstly, use ternary operator for inline comperison and read about comparison operators in PHP

Secondly, do not write a few strings that separated by semicolon together. Semicolon in PHP means end of instruction and it's better to write each in new line, so it will be easier to read and maintain the code

Thirdly, always escape data in SQL queries and check type of variable before indexing it as array(is_array, isset)

Finnaly, use IDE (PhpStorm, NetBeans etc) it will help you to prevent doing such mistakes 

$username = $mysqli->real_escape_string($username);
$adminarray = $mysqli->query("SELECT admin FROM user WHERE name LIKE '$username'");

$currentuser = mysqli_fetch_row($adminarray);

$adm = is_array($currentuser) ? $currentuser[0] : null;
$visibility = $adm == 1 ? "block" : "hidden";

echo "<form action='?delete1' method='post' style='visibility:$visibility'>";

It is also worth noting that prepared statements are preferable to plain SQL queries when you are using parameters. In that case code will look slightly different:

$stmt = $mysqli->prepare("SELECT admin FROM user WHERE name LIKE ?");
$stmt->bind_param('s', $username);
$stmt->execute();
$row = $stmt->get_result()->fetch_row();
$visibility = (is_array($row) && $row[0] == 1) ? "block" : "hidden";

echo "<form action='?delete1' method='post' style='visibility:$visibility'>";

More details about prepared statements you can find here: Prepared Statements

Oleks
  • 1,633
  • 1
  • 18
  • 22
  • Don't use manual escaping like this. It's more error prone and substantially more verbose than simply using prepared statements and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php). – tadman Dec 02 '16 at 16:41
0

Ok, I feel really stupid right now. I wrote $adm = 1 instead of $adm == 1. I'm really sorry for the waste of time.

Nicolo Lüscher
  • 595
  • 7
  • 22
  • You aren't the only one that has been bitten. I think there's a reason that Pascal, PL/I and Oracle PL/SQL use the **`:=`** (colon equals) operator symbol for assignment. – spencer7593 Dec 02 '16 at 22:23