0

I have been trying to post orderid,extension id ... with javascript POST method but its always returning false even if the SQL query is true. Demo data:

Javascript

 var order_id = "1232";
    var extension_id = "12";
    var email = "flencsso@gmail.com";
    var dom = "www.youtube.com";
    
$.post(
  "checkdata.php",
  {
    order_id: order_id,
    extension_id: extension_id,
    email: email,
    dom:dom
  },
  function (data, status) {
    //console.log("Data: " + JSON.parse(data) + "\nStatus: " + status);
    console.log(data + "status:" + status);
  }
);

this data is exist in the table 'osmo'. Also i have declared all the columns as VARCHAR. Please suggest whats wrong i am doing with the query.

PHP

 if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    
    
        if (!empty($_POST['order_id']) && !empty($_POST['extension_id']) && !empty($_POST['email']) && !empty($_POST['dom'])) {
    
            //store in variables
            $order_id = $_POST['order_id'];
            $extension_id = $_POST['extension_id'];
            $email = $_POST['email'];
            $dom = $_POST['dom'];
            //server config
            $servername = "localhost";
            $username = "root";
            $password = "";
            $dbname = "foroc";
    
            // Create connection
            $conn = new mysqli($servername, $username, $password, $dbname);
            // Check connection
            if ($conn->connect_error) {
                die("Connection failed: " . $conn->connect_error);
            }
    
            //sql query
             $sql = "SELECT *
             FROM ocorders
             WHERE order_id='$order_id'
             AND extension_id='$extension_id'
             AND email='$email'
             AND order_status='Complete'
             AND dom='$dom'
             ";


     $result = mysqli_query($conn, $sql);
//check if sql query is returning true or false
        if (mysqli_num_rows($result) > 0) {
            // output data of each row
            while ($row = mysqli_fetch_assoc($result)) {
                print json_encode("true");
            }
        } else {
            print json_encode("false");
        }
        
                
          
            //close connection
            $conn->close();
        } 
    }
Prosenjeet Paul
  • 284
  • 2
  • 8
  • 2
    **Warning!** You are _wide open_ for [SQL injection](https://owasp.org/www-community/attacks/SQL_Injection) attacks! You should use parameterized [prepared statements](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) instead of using completely unescaped user data directly in your queries like that. _Never ever ever never_ trust user input. – M. Eriksson Oct 09 '20 at 15:24
  • 1
    `AND dom=$dom` - You're missing the quotes around the value. Without them, you'll end up with an invalid query since `$dom` is a string. This won't be an issue when you move to prepared statements. – M. Eriksson Oct 09 '20 at 15:25
  • https://phpdelusions.net/mysqli also contains good examples of writing safe SQL using mysqli. Parameterising your queries will also greatly reduce the risk of accidental syntax errors as a result of un-escaped input values - similar to what Magnus has just pointed out. – ADyson Oct 09 '20 at 15:25
  • And **never** get your web app to login to the database as root. Root can do whatever it likes, so on top of the SQL injection vulnerabilities this just leaves your database an open book for hackers. Instead create a separate user account specifically for this application which has only the permissions it actually _needs_ in order to work properly. Don't even use the root account as a shortcut during development or testing, because you need to test your account permissions as well - otherwise when you go live you might have unexpected errors relating to the user account setup. – ADyson Oct 09 '20 at 15:26
  • _i have declared all the columns as VARCHAR_ ...well your Order ID and Extension ID fields look like the are numbers, so that seems potentially inappropriate. – ADyson Oct 09 '20 at 15:27
  • Anyway if ->query() is returning false, you really need to be finding out why that is - then you'd have some idea what's going on and how to fix it. Mysqli can [tell you the exact error message](https://www.php.net/manual/en/mysqli.error.php). That's a quick solution. But even better than that, you should enable PHP error logging (https://stackify.com/php-error-logs-guide/) and then enable mysqli to throw exceptions when SQL errors occur (https://stackoverflow.com/a/14578644/5947043) so you can log them seamlessly to the PHP error log, giving you better visibility of problems. – ADyson Oct 09 '20 at 15:36
  • I have noted all of the points thanks for that. And this is running on localhost so currently we can skip the injection part. I have added quotes around the $dom and edited my question as well. I have tried almost everything (best of my knowledge) but no solution so far. I dont know what is wrong in the code. When printing out the result directly its giving: {"current_field":null,"field_count":null,"lengths":null,"num_rows":null,"type":null} so its false according to query but same thing is returning true in phpmyadmin – Prosenjeet Paul Oct 09 '20 at 15:53
  • Oh, actually...I just noticed something. I should have spotted it earlier perhaps, sorry. `if ($conn->query($sql) === TRUE) {`. This will never be true. The manual for mysqli_query (https://www.php.net/manual/en/mysqli.query.php) says: _"Returns FALSE on failure. For successful SELECT, SHOW, DESCRIBE or EXPLAIN queries mysqli_query() will return a mysqli_result object. "_ . So it will never `=== TRUE`. `== TRUE` would be ok because a populated object is truth-y, but it won't ever be a boolean `true`, so you can't use `===` to test it. – ADyson Oct 09 '20 at 16:02
  • @ADyson then whats the solution to check and return true? – Prosenjeet Paul Oct 09 '20 at 16:06
  • @ADyson i have added $result = mysqli_query($conn, $sql); print json_encode($result); and its returning {"current_field":null,"field_count":null,"lengths":null,"num_rows":null,"type":null} – Prosenjeet Paul Oct 09 '20 at 16:09
  • Ok that's a result object. So it's success, in theory. Like I said you should be able to use `== true` to do a basic check. If the query didn't fail then it will have returned some rows (if any matched the query criteria). So, perhaps, did you really want to know if it returned a specific number of rows, or at least one? If so then you need the num_rows() function. – ADyson Oct 09 '20 at 16:12
  • @ADyson thanks for rating . Let's leave the ==true thing i have added this line of code $result = mysqli_query($conn, $sql); if (mysqli_num_rows($result) > 0) { // output data of each row while ($row = mysqli_fetch_assoc($result)) { print json_encode("found"); } } else { print json_encode("0 results"); } and its still returning 0 results which means no row. – Prosenjeet Paul Oct 09 '20 at 16:19
  • @ADyson i have edited the question please consider upvote in question – Prosenjeet Paul Oct 09 '20 at 16:38

1 Answers1

1

Well after so many suggestion finally i have found my 'True'. $result = mysqli_query($conn, $sql);

    if (mysqli_num_rows($result) > 0) {
        // output data of each row
        while ($row = mysqli_fetch_assoc($result)) {
            print json_encode("True");
        }
    } else {
        print json_encode("False");
    }

Some minor mistakes sometimes become headache.

Prosenjeet Paul
  • 284
  • 2
  • 8