How do i verify query from mysql database before outputing record

Question

In my code am trying to verify if query is true before outputing result i have tried:

require("init.php");
if(empty($_GET["book"]) && empty($_GET["url"])) {
    $_SESSION["msg"] = 'Request not valid';
    header("location:obinnaa.php");
}
if(isset($_GET["book"]) && isset($_GET["url"])) {
    $book = $_GET['book'];
    $url = $_GET['url'];
    $drs = urldecode("$url");
    $txt = encrypt_decrypt('decrypt', $book);
    if(!preg_match('/(proc)/i', $url)) {
        $_SESSION["msg"] = 'ticket printer has faild';
        header("location:obinnaa.php");
        exit();
    } else {
        $ql = mysqli_query($conn, "select * from books where book='$txt' AND used='loading'");
        $count = mysqli_num_rows($sql);
        if($count < 1) {
            $_SESSION["msg"] = 'Transation has oready been made by a customer please check and try again';
            header("location:obinnaa.php");
            exit();
        }
        while($riow = mysqli_fetch_assoc($ql)) {
            $id = $riow["id"];
            $tqty = $riow["quantity"];
            for($b = 0; $b < $tqty; $b++) {
                $run = rand_string(5);
                $dua .= $run;
            }
        }
        $sql = mysqli_query($conn, "select * from books where book='$txt' AND used='loading'");
        $split = $dua;
        $show_plit = str_split($split, 5);

        $b = 0;

        while($row = mysqli_fetch_assoc($sql)) {
            $id = $row["id"];
            $qty = $row["quantity"];
            $oldB = $b;
            $am = " ";
            for(; $b < $oldB + $qty; $b++) {
                $am .= "$show_plit[$b]";
                $lek = mysqli_query($conn, "UPDATE books SET ticket='$am' WHERE id=$id");
            }
            if($lek) {
                $adr = urlencode($adr = "http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"]);
                $ty = encrypt_decrypt("encrypt", $txt);
                $vars = array(
                    "book" => $ty,
                    "url" => $adr
                );
                $querystring = http_build_query($vars);
                $adr = "viewbuy.php?" . $querystring;
                header("location: $adr");
            } else {
                $_SESSION["msg"] = 'Transation failed unknow error';
                header("location:obinnaa.php");
            }
        }
    }
}

but i get to $_SESSION["msg"]='Transation has oready been made by a customer please check and try again

even when the query is right what are mine doing wrong.

[Little Bobby](http://bobby-tables.com/) says **[you may be at risk for SQL Injection Attacks](https://stackoverflow.com/q/60174/)**. Learn about [Prepared Statements](https://en.wikipedia.org/wiki/Prepared_statement) with [parameterized queries](https://stackoverflow.com/a/4712113/5827005). I recommend `PDO`, which I [wrote a class for](https://github.com/GrumpyCrouton/GrumpyPDO) to make it extremely easy, clean, and more secure than using non-parameterized queries. Also, [This article](https://phpdelusions.net/pdo/mysqli_comparison) may help you choose between `MySQLi` and `PDO` — GrumpyCrouton, Nov 30 '17 at 18:04

Nate Reynolds · Answer 1 · 2017-11-30T18:17:54.830

1

Check your return variable name from the query. You have $ql when it should be $sql.

$sql = mysqli_query($conn, "select * from books where book='$txt' AND used='loading'");
$count = mysqli_num_rows($sql);

A good IDE would flag this. NetBeans is a good free one.

Public Service Announcement: NEVER build SQL queries straight from a URL parameter. Always sanitize your inputs and (better yet) use parameterized queries for your SQL calls. You can Google these topics for more info.

edited Nov 30 '17 at 18:17

answered Nov 30 '17 at 18:06

Nate Reynolds

137
2
7

[Little Bobby](http://bobby-tables.com/) says the code in your answer **[may be at risk for SQL Injection Attacks](https://stackoverflow.com/q/60174/)**. **Please** _add a warning about this_, and you should include information on [Prepared Statements](https://en.wikipedia.org/wiki/Prepared_statement) for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) or [PDO](http://php.net/manual/en/pdo.prepared-statements.php). – GrumpyCrouton Nov 30 '17 at 18:10
Indeed, but his question wasn't about security. For all we know this may just be a school project. Nevertheless, I'll update my answer with the usual warning about injections. – Nate Reynolds Nov 30 '17 at 18:13
It doesn't really matter to me what the question was about, if you are sharing code with security vulnerabilities you should mention those vulnerabilities because the OP may have no idea. Your answer becomes more valuable this way. Plus 1 since you edited your question, thank you :) – GrumpyCrouton Nov 30 '17 at 18:33

How do i verify query from mysql database before outputing record

1 Answers1