0

So basically I got this code right here:

<?php
include_once 'dbconfig2.php';
$con = new DB_con();
$table = "users";
if(isset($_GET['profile_id']))
{
 $sql=mysql_query("SELECT * FROM users WHERE user_id=".$_GET['profile_id']);
 $result=mysql_fetch_array($sql);
}
?>

I am clueless as to how I would make it so if the user_id is not existent in the records, they cannot view their profile but it leads them to another messsage or piece of code.

L. Bourne
  • 13
  • 6
  • 1
    somethjing like ` if (mysql_num_rows($resullt)<1){die('INVALID USER');} ` Also, you really shouldn't be using PHPs MySQL function. Converting to MySQLI – Duane Lortie Jan 27 '17 at 23:58
  • 2005 called, they want their database API back! http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php – miken32 Jan 28 '17 at 00:23
  • You should use prepared parameterized statements in order to avoid sql injection. – rescobar Jan 28 '17 at 01:08

2 Answers2

0

If the user_id doesn't exist, there won't be any rows in the result. When you try to read a row with mysql_fetch_array(), it returns FALSE. So you can simply test $result:

if (!$result) {
    die("Invalid profile ID");
}
Barmar
  • 741,623
  • 53
  • 500
  • 612
0

Try to use prepared statements using mysqli, in order to avoid sql injection.

By way of example:

$mysqli = new mysqli("localhost", "root", "root", "test");
if ($mysqli->connect_errno) {
  echo "connect_error". $mysqli->connect_error;
}
$id = $_GET['profile_id'];
$result = $mysqli->prepare('SELECT name FROM users WHERE user_id = ?');
$result->bind_param("i", $id);
$result->execute();
$result->bind_result($col1);
$result->fetch();
$is_valid_profile = (!$col1) ? 'Invalid profile' : 'Valid profile';
echo $is_valid_profile;
$result->close();

http://php.net/manual/en/mysqli.prepare.php

rescobar
  • 1,261
  • 15
  • 25