0

I am trying to run two queries together and seperating them by a semicolon.

$query2 = "UPDATE users SET locked = '1' WHERE id = '13'; 
        UPDATE users SET reset_key = '".$resetKey."' WHERE id = '13';";

Here is my complete code. I am trying to create a kind of brute force protection for a login form. If there are 5 incorrect attempts to login, the account should lock up and a random reset key gets created. Then the key gets stored in the database and that is where the query isn't getting executed.

<?php
$mysqli = new mysqli('localhost', 'x', 'x', 'x');
if ($mysqli->connect_error) {
    die('Connect Error (' . $mysqli->connect_errno . ') '
            . $mysqli->connect_error);
}
$result = $mysqli->query("SELECT * FROM `users` WHERE `email` = 'abc@abc.abc'");
$result = $result->fetch_row();
$locked = $result[5];
$resetKey = $result[6];
$attempts = $result[4];


    if ($attempts == NULL) {
        $attempts = 1;
    } elseif ($attempts == '5') {
        /* let's create a random string */
        $letters='abcdefghijklmnopqrstuvwxyz';  // selection of a-z
        for($x=0; $x<3; ++$x){  // loop three times
            $resetKey.=$letters[rand(0,25)].rand(0,9);  // concatenate one letter then one number
        }
        $query2 = "UPDATE users SET locked = '1' WHERE id = '13'; 
        UPDATE users SET reset_key = '".$resetKey."' WHERE id = '13';";
        echo "<p>".$query2."</p>";
        $result2 = $mysqli->query($query2);
    } else {
        $attempts++;
        $query3 = "UPDATE users SET attempts = '".$attempts."' WHERE id = '13'";
        $result3 = $mysqli->query($query3);
    }
?>
user339519
  • 13
  • 4
  • 1
    So what does your error log file say? – arkascha Nov 01 '17 at 21:56
  • I see if attempts is NULL, you set attempts to 1. That's it, it's done after that. The `else` block of your code does not run, because the `if` block ran. – Bill Karwin Nov 01 '17 at 21:59
  • Please [learn to use query parameters](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) instead of concatenating variables into SQL query strings. – Bill Karwin Nov 01 '17 at 22:00
  • @BillKarwin - you can't see it in the code, but in that row attemts is set to 5, so the query should be executed. As a control mechanism I included an echo statement, which does output the query. Thanks for the link though, maybe I will find the answer that way. – user339519 Nov 01 '17 at 22:15
  • you have 2 queries there not one, that's why and you dont even need 2 -- see below –  Nov 01 '17 at 22:16
  • It will appear in whatever environment the query is executed in. Your tags suggest that would be the http server. – arkascha Nov 01 '17 at 22:16
  • `UPDATE users SET locked = '1', reset_key = '".$resetKey."' WHERE id = '13'; ` –  Nov 01 '17 at 22:17

0 Answers0