0

I'm using this code to check if the user exsite in the database or not, if yes,

OUTPUT

{
  "check": "true",
}

but, it return null

This is the code

<?php
include 'database.php';

error_reporting (E_ALL ^ E_NOTICE); 
$UIDresult=$_POST["UIDresult"];
$Write="<?php $" . "UIDresult='" . $UIDresult . "'; " . "echo $" . "UIDresult;" . " ?>";
file_put_contents('UIDContainer.php',$Write);



function get_data($res){
    $pdo = Database::connect();
    $sql= "SELECT * FROM table_nodemcu_rfidrc522_mysql WHERE id = '$res' ";
    $query_res =$pdo->query($sql);
    $count= count($query_res->fetchAll());
    $existe=array();

    if ( !$query_res ) {
        echo $query_res->error;
        exit;
    }
    if($count > 0){
        $existe[] = array('check'=>'true');
        }
    else
        {  
        $existe[] = array('check'=>'false');
        }
    return json_encode($exsite);    
        }

    $file_name='existe.json';
    if(file_put_contents($file_name,get_data($UIDresult)))
     {

            echo 'file created';

        }else{

            echo 'error';
        }


?>

existe.json file contains null everytime the php file loaded

Appreciate any help !

JDEVv
  • 23
  • 4
  • Is this actual copied code? If yes, you have a typo here: `return json_encode($exsite);`. The variable name is `$existe`. You should be seeing an error. – El_Vanja Mar 30 '20 at 00:31
  • your `get_data()` function does not always return a value, if the `$pdo->query()` failed there is no return value. – catcon Mar 30 '20 at 00:32
  • @El_Vanja you're correct, that fixed the problem, thank you very much – JDEVv Mar 30 '20 at 00:38
  • If you're already using PDO, switch to parametrized queries to avoid [SQL injection](https://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work). – El_Vanja Mar 30 '20 at 00:45
  • @El_Vanja Thank you, i will take it in consideration – JDEVv Mar 30 '20 at 00:58

1 Answers1

0

replace 

"SELECT * FROM table_nodemcu_rfidrc522_mysql WHERE id = '$UIDresult' ";

by this

$pdo->prepare("SELECT * FROM table_nodemcu_rfidrc522_mysql WHERE id = :UIDresult);
$pdo->bindValue(:UIDresult, $UIDresult, PARAM_STR);
$pdo->excute();
$pdo->fetch();

why didnt you use the prepare and bind it protects you from sql injection

Moahemd Abdelkhaleq
  • 212
  • 1
  • 2
  • 10