Get the wrong response

Question

I got the following code and I don't find the mistake. When i execute it, I always get "no_request".

$username is equal to Reebal and $user is equal Simon

Ajax/jQuery

$("#cancel_friend").click(function(e){
    var user = "<?php echo $user_username; ?>";
    var type = "cancel_friend"
    $.ajax({
        type: "POST",
        url: "../system/friend_system.php",
        data: {
            user: user,
            type: type
        },
        success: function(data, status){
            if(data == "friend_request_canceled"){
                $("#cancel_friend").css("display", "none");
            }else{
                $(".error_msg_container").html(data);
            }
        },
        error: function(){
            alert(data);
        }

friend_system.php

}else if($_POST['type'] == "cancel_friend"){
    $sql = "SELECT COUNT(id) friends WHERE user1 = '$username' AND user2 = '$user' AND accepted='0' LIMIT 1";
    $result = mysqli_query($conn, $sql);
    $request = mysqli_fetch_row($result);
    if($request[0] > 0){
        $sql = "DELETE FROM friends WHERE user1 = '$username' AND user2 = '$user' AND accepted='0' LIMIT 1";
        $result = mysqli_query($conn, $sql);
        mysqli_close($conn);
        echo "friend_request_canceled";
        exit();
    }else{
        echo "no_request";
        exit();
    }

Here is the friends table:

Hope you can help me.

Where do you set `$username`? Did you tried debugging your code? — empiric, Jul 14 '17 at 16:36
$username is in another php file, where I check the current logged in user. Yeah when I echo $username, I get 'Reebal' — Reebal, Jul 14 '17 at 16:38
Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) drivers. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. — Alex Howansky, Jul 14 '17 at 16:44

score 0 · Accepted Answer · edited Jul 14 '17 at 17:08

0

Right now on my phone so I can't look at it that well, your SQL Query is unsafe. Use either mysqli or pdo. And you forgot the FROM your the sql query, here's an sql injection safe code:

$con = new PDO("mysql:host=localhost;dbname=dbName" , "dbPassword","dbUsername"); // connecting with PDO
$query = $con->prepare("SELECT COUNT(id) FROM friends WHERE user1 = :username AND user2 = :username2 AND accepted = \"0\" LIMIT 1"); // Preparing a query
$query->bindParam(":username" , $username,  PDO::PARAM_STR); // binding parameters in a safe way
$query->bindParam(":username2",$username2,PDO::PARAM_STR); 
$query->execute();
$result = $query->fetchAll(); // fetching the result and putting it in result

REMEMBER TO CHANGE THE VARIABLES AND MODIFY THE CONNECTION DETAILS If it doesn't work comment not this comment

edited Jul 14 '17 at 17:08

Reebal

59
5

answered Jul 14 '17 at 16:57

Guy Sudai

36
5

If anyone can edit my comment to make it look better that'd be good – Guy Sudai Jul 14 '17 at 16:58
Works! Thank you sir. – Reebal Jul 14 '17 at 17:08
But can I use mysql_real_escape_string(); for the variables instead? – Reebal Jul 14 '17 at 17:09
No, it doesn't help AT ALL – Guy Sudai Jul 14 '17 at 17:10
Real escape string just escapes characters and doesn't make it injection safe – Guy Sudai Jul 14 '17 at 17:10
BTW PDO actually does that for you, I just found that out(escapes the strings) – Guy Sudai Jul 14 '17 at 23:53

Get the wrong response

1 Answers1