-2

I'm trying to code a php page that checks if the $_GET['uuid'] matches the value in the database and if the ip address of the current visitor matches the ip address of $_GET['uuid'] stored in the database.

Here is the code:

if(isset($_GET['uuid'])){
    $uuid = $_GET['uuid'];
    include('database.php');
    $sql = "SELECT * FROM `ips`"; 
    $sql2 =  "SELECT * FROM `ips` WHERE `uuid` =  '". $uuid ."'";
    foreach($mysqli->query($sql) as $row){
        $ipss = $row;
    }
    foreach($mysqli->query($sql2) as $ipsrrr){
        $ipsr = $ipsrrr;
    }
    if($ipss['uuid'] == $uuid && $ipsr['ip'] == $gip){
            $allowed = 1;
    }else{
        header('Location: index.php');
        exit(0);
    }
}else{
    header('Location: index.php');
    exit(0);
}

I don't known why but i get stuck in the foreach loop. I get a blank page with an loading icon.

Alberto
  • 674
  • 13
  • 25
get Server
  • 3
  • 3
  • 1
    You not outputting anything surely you will get a blank page – Masivuye Cokile Sep 27 '18 at 12:05
  • `$gip` is undefined there. as well as add `error_reporting(E_ALL);ini_set('display_errors',1);` on top of your code script to get possible errors. – Alive to die - Anant Sep 27 '18 at 12:05
  • 4
    Why do you make two queries, once to fetch ***all*** IP rows, and once to fetch just the ones where `uuid` matches (which seems more sensible)?! Secondly, you're looping over the results and assign to `$ipss` and `$ipsr`, but you're overwriting those variables and only the last row will stick there. This all makes very little sense. You should just do *one* query `WHERE uuid = $uuid AND ip = $gip`, and either you get a result or you don't. No need to loop anything or compare something again in PHP. – deceze Sep 27 '18 at 12:11
  • what is the `$gip` variable ? that you used to equal? – Byrm Arf Sep 27 '18 at 12:12
  • First sorry, that have not post the whol code – get Server Sep 27 '18 at 12:12
  • $gip is a return of a function that get's the ip form user – get Server Sep 27 '18 at 12:13
  • In addition to the unneeded second query, you should parameterize your query. – user3783243 Sep 27 '18 at 12:23
  • @getServer you can't ask people to register somewhere just to help you. – Alberto Sep 27 '18 at 13:52
  • @Alberto i never asked people to register somewhere - if you click the link u will see there is no way to register ^^ – get Server Oct 01 '18 at 07:16

3 Answers3

1

You don't need to perform any loops. As @deceze said, you can simply query for uuid and ip, if there is a result, the user is 'allowed'. Be careful with SQL-Injections.

  if(!empty($_GET['uuid'])){

    // Evaluate IP and UUID.

    require_once 'database.php';

    if($mysqli->query("SELECT * FROM ips WHERE uuid = $uuid AND ip = $ip")){

      $allowed = 1;

    } else {

      header('Location: index.php');

    }

  } else {

    header('Location: index.php');

  }

Haven't tested it, but it should work.

A few things regarding to your code:

  1. Instead if including it, you should require your database file.
  2. You could take a look at PDO and Prepared Statements.
T K
  • 618
  • 7
  • 20
  • 1
    `$uuid` and `$ip` should probably be quoted. Mysqli has prepared statements PDO doesn't _need_ to be looked at. Possible link for mysqli doc http://php.net/manual/en/mysqli.quickstart.prepared-statements.php – user3783243 Sep 27 '18 at 12:25
  • `isset && !empty` is redundant nonsense. – deceze Sep 27 '18 at 12:43
  • @deceze Its not, if the url is: `?uuid=`, `isset` will return true, but there is no uuid, therefore we need to check with `empty`. – T K Sep 27 '18 at 12:53
  • See [Why check both isset() and !empty()](https://stackoverflow.com/q/4559925/476). – deceze Sep 27 '18 at 12:54
0

$mysqli->query($sql) returns a result set.

Try replacing each of your foreach loops with (modified for each loop)

$resultSet = $mysqli->query($sql);
while($row = $resultSet->fetch_row())
{
    $ipss = $row;
}

This will retrieve the resultset, and then perform an action for each row returned.

NibyNool
  • 81
  • 5
0

Your code $mysqli->query($sql) returns an object, not an iterable array. To get array of fields you will need to use method fetch_all(MYSQLI_ASSOC). Look at example below:

    <?php
 $host = "localhost";
 $mysql = mysqli_connect($host, "root", "", "database");
 $result = $mysql->query("SELECT * FROM table");
 $result = $result->fetch_all(MYSQLI_ASSOC);
 //parameter `MYSQLI_ASSOC` means to return associated array, 
 //(without it you will get a numeric keys for array)
 //$result[0] contains your array.
 //Now you can manipulate data:
 foreach ($result[0] as $field) {
     $get_data = $field['some_col_name'];
 }
 ?>
undrown
  • 32
  • 6