-1

This is an assignment for a PHP course I'm taking. We created a database in mySQL, and we are working on making a website to view/insert/update/delete information in the database. Right now, I'm getting a "Page not working" error while running an if statement to see if an ID # already exists in the database.

I have tried commenting out parts of my code to determine where the problem is, and I'm pretty sure it's an issue with the code underneath my "database connections" comment. This is a beginner's class, and I'm following my professor's walkthrough video for the assignment, but I can't figure out what I'm doing wrong.

<?php 
session_start(); //starts the session

//Set all variables
$uniqueid = $_POST["uniqueid"];
$breed = $_POST["breed"];
$color = $_POST["color"];
$furlength = $_POST["furlength"];
$dogweight = $_POST["dogweight"];

//test if variables come in correctly
//echo "variables: " . $uniqueid . $breed . $color . $furlength . $dogweight;

//test if all fields filled
if (($uniqueid == "") || ($breed == "") || ($color == "") || ($furlength == "") || ($dogweight == "")) {
    $_SESSION["errormessage"] = "You must complete all fields!"; //error message if any field is empty
    header("Location:insert.php");
    exit;
}
else { //if all fields filled
    $_SESSION["errormessage"] = ""; //no error message
}

//database connections -- THIS IS PROBABLY WHERE THE ISSUE IS
include("includs/openDBConn.php"); //include the database
//check that # adding isn't already part of database
$sql="SELECT UniqueID FROM Dogs WHERE UniqueID=".$uniqueid;
$result=$conn->query($sql);

if($result->$num_rows > 0) { //make sure database loads the rows
    echo("num rows= ".$result->$num_rows); //echo the number of rows
}
else { //if there are no rows
    echo("No data found"); //give error message
}
?>

On a different page, there are fields for me to type in UniqueID, breed, color, etc. This page is supposed to check that all fields are filled in (that part works), and then check if there is already a row with the UniqueID that I typed in. If there is, it's supposed to echo the number of rows it found with that UniqueID (which is supposed to be 1).

I'm very new to PHP, so if I'm missing any essential information please let me know. I appreciate any advice!

jessica-townsend
  • 3
  • 2
  • 1
    Is the folder name really `includs/`, maybe a typo? – brombeer Oct 08 '19 at 21:16
  • @kerbholz I can't believe I missed that... Thanks so much!!! – jessica-townsend Oct 08 '19 at 21:26
  • 1
    You should enable PHP report, it will show you what the actual error is instead of a 500 generic error page. https://stackoverflow.com/questions/1053424/how-do-i-get-php-errors-to-display – catcon Oct 08 '19 at 21:31
  • What do you mean by "not working"? Do you get any errors? Add [error reporting](//php.net/manual/function.error-reporting.php) at the top of your file(s): `ini_set("display_errors", 1); error_reporting(E_ALL);` and tell us what you get. – Dharman Oct 08 '19 at 23:10
  • Possible duplicate of [Reference - What does this error mean in PHP?](https://stackoverflow.com/questions/12769982/reference-what-does-this-error-mean-in-php) – Dharman Oct 08 '19 at 23:10

2 Answers2

1

Your code is full of vulnerabilities. It is prone to sql injection, xss attack, csrf, html injection.

I have re-written it to avoid most of this issues.

1.) Sql Injection is now mitigated using prepare queries

2.) Html injection is mitigated using intval for integer variables and strip_tags for strings. you can read more about data validations and sanitization in php to see more options available

3.) xss attack has been mitigated via htmlentities(). you can also use htmlspecialchars(). Read more about all this things

see better secured codes below

Please put your database credentials where possible I do not know whether this your unique id is a string or integer(number)

// if UniqueID is integer or number use i parameter
$stmt->bind_param("i", $UniqueID);

// if UniqueID is a string use s parameter
$stmt->bind_param("s", $UniqueID);

here is the code

    <?php

    $servername = "localhost";
    $username = "root";
    $password = "";
    $dbname = "ur dbname";

    // Create connection
    $connect = new mysqli($servername, $username, $password, $dbname);

    // Check connection
    if ($connect->connect_error) {
        die("Connection to db failed");
    }

session_start(); //starts the session

    // ensure that the Id is integer using intval
    //$uniqueid = intval($_POST["uniqueid"]);


    // sanitize your data against xss and html injection
    $uniqueid = strip_tags($_POST["uniqueid"]);
    $breed = strip_tags($_POST["breed"]);
    $color = strip_tags($_POST["color"]);
    $furlength = strip_tags($_POST["furlength"]);
    $dogweight = strip_tags($_POST["dogweight"]);

    //test if all fields filled
    if (($uniqueid == "") || ($breed == "") || ($color == "") || ($furlength == "") || ($dogweight == "")) {
        $_SESSION["errormessage"] = "You must complete all fields!"; //error message if any field is empty
        header("Location:insert.php");
        exit();
    }

    //Avoid sql injection using prepared statement

    $stmt = $connect->prepare("SELECT UniqueID FROM Dogs WHERE UniqueID = ?");

    // UniqueID is integer or number use i parameter
    $stmt->bind_param("i", $UniqueID);

    // if UniqueID is a string use s parameter
    //$stmt->bind_param("s", $UniqueID);

    $stmt->execute();
    $stmt -> store_result(); 
    $stmt -> bind_result($UniqueID); 

    if ($stmt->num_rows >= "1") {
    while ($stmt -> fetch()) { 

    // ensure that xss attack is not possible using htmlentities
    // fetch UniqueID

        echo "your UniqueID: .htmlentities($UniqueID). <br>"; 


    }
    }else{

       echo "No data found";
    }

    $stmt->close();
    $connect->close();
    ?>
Nancy Moore
  • 2,322
  • 2
  • 21
  • 38
1

you have a syntax error on $result->$num_rows, that should be $result->num_rows without the second dollar sign,

and of course, your example here has security vulnerabilities that you also need to address, but that is not your question

Nathanael
  • 870
  • 5
  • 11