0

I have made an english to persian dictionary using php and a database,I get the english word from the user and post it to process.php and then in that file I search for the entered word in my database and I return the persian meaning.This works fine but my problem is when the entered word is not in my database the code does not enter the else condition and it does not print the "0 result" statement.I'll be really thankfull if someone could help . so this is my first file :

<html>
<head>

<style>
    body {
    background-image: url("final.jpg");
    }


#par {
  width: 320px;
    padding: 10px;
    border: 5px solid gray;
    margin-left:auto;
    margin-Right:auto;
    position: absolute;
    top: 20%;
    left:35%;
    text-align: center; 
    background-color:Powderblue;
}




#footer{
margin-top:45%;
background-color:#C7BDBB;
text-align:right;
}


</style>


<title>niloofar-dictionary</title>
</head>




<body>

<div id=par>
<?php



$username="raanaste_niloo1";
$password="Nt13541372";
$dbname="raanaste_niloofar-dictionary";
$usertable="dictionary";
$yourfield = "english";
$yourfield1 = "persian";

//Connect to the database
$connection = mysql_connect($hostname, $username, $password);
mysql_select_db($dbname, $connection);

$name = $_POST["word"];


//Setup our query
$query = "SELECT persian FROM $usertable WHERE  english='{$_POST["word"]}'";

//Run the Query
$result = mysql_query($query);

//If the query returned results, loop through
// each result
if($name)
{
if($result!=NULL)
{
while($row = mysql_fetch_array($result))
{
    $na = $row["$yourfield1"];

    echo "word in persian: " . $na; 
}}

 else {
 echo "0 results"
 }

}




?>
</div>
<div id="footer">
  <h4> COPYRIGHT:  &copy; 2017 niloofartarighat. </h4></div>

</body>
</html>

and this is the process.php

niloofar
  • 3
  • 4
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jan 31 '17 at 19:49
  • ***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jan 31 '17 at 19:49
  • 2
    You do not have an `else` condition anywhere. – Jay Blanchard Jan 31 '17 at 19:50
  • The "word" I am going to submit is... "**`0' OR '1'='1`**". – spencer7593 Jan 31 '17 at 20:39

2 Answers2

0

You can use a function :

    function getDataForAdmin($select, $from, $where, $orderBy, $multi = false){
    global $con;
    $q = "select ".$select." from ". $from;
    if(strlen($where)>0 && $where != " " || $where != null){
        $q .= " where ".$where;
    }
    if(strlen($orderBy)>0 && $orderBy != " " || $orderBy != null){
        $q .= " order by ".$orderBy; 
    }
    $r = mysqli_query($con, $q);
    if($r){
        if(mysqli_num_rows($r)>0){
            $data['result'] = true;
            if($multi){
                $data['data'] = getMultilineData($r);
            }else{
                $data['data'] = mysqli_fetch_assoc($r);
            }
        }else{
            $data['result'] = false;
            $data['data'] = "No Record Found!";
        }
    }else{
        $data['result'] = false;
        $data['data'] = "Error: 0xDS31ADMN". mysqli_errno($con);
    }
    return $data;
}
function getMultilineData($sql){
    $c = 0;
    while ($r = mysqli_fetch_assoc($sql)){
        $data[$c] = $r;
        $c++;
    }
    return $data;
}
function escapeString($val) {
    global $con;
    return mysqli_real_escape_string($con, $val);
}

    if(isset($_POST)){
        $name = escapeString($_POST['name']);
$data = getDataForAdmin("*", "table", "name = '$name'", null);

    }

and make your own code as well as you want :)

Rajpal Singh
  • 307
  • 1
  • 12
0

I changed the while to else and the problem was fixed!!`

if($name)
{
if($result!=NULL)
{
if($row = mysql_fetch_array($result))\\this is the change
{
    $na = $row["$yourfield1"];

    echo "word in persian: " . $na; 
}}

 else {
 echo "0 results"
 }

}
`
niloofar
  • 3
  • 4