Thread: PHP Script

    #1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    85
    Rep Power
    2

    PHP Script


    I have the following script, and the first part works that if my username is in the database, I have already voted in the past 12 hours. But, if I use a different username, nothing happens and the page is white. It doesnt enter data into database or send the command to the server.

    PHP Code:

    $username 
    $_POST['username'];
    $voterServerVote $_POST['id'];
    $id $_POST['id'];

    if(
    $query mysql_query("SELECT * FROM vote WHERE voterServerVote = '$id' AND voterUsername = '$username'")){
        while(
    $row mysql_fetch_assoc($query)){
            
    $previousTime $row['voterTime'];
            
    $query mysql_query("SELECT * FROM servers WHERE ID = $id") or die(mysql_error());  
            while(
    $post mysql_fetch_assoc($query)){  
                
    $public_key $post['votifierKey'];  
                
    $server_ip $post['votifierIP'];
                
    $server_port $post['votifierPort'];
                
    $username $_POST['username'];
                
    $voterIP $_SERVER['REMOTE_ADDR'];
                
    $voterServerVote $post['ID'];
                
    $time time();
                
    $currentVotes $post['serverVotes'];
                
    $newVotes $currentVotes 1;
                    
    $today date("F j, Y, g:i a T");
                    
    $username preg_replace("/[^A-Za-z0-9_]+/",'',$username);
                    if (
    time() >= ($previousTime*12*3600)) {
                        if(
    Votifier($public_key$server_ip$server_port$username)) {
                            
    $sql=mysql_query("INSERT INTO vote VALUES ('$username', '$voterIP', '$voterServerVote', '$time')");
                            
    $quer2=mysql_query("UPDATE servers SET serverVotes = '$newVotes' WHERE ID='$voterServerVote'");
                        } else {
                            echo 
    'There was an error!';
                        } 
                     } else {
                         echo 
    'You have already voted in the past 12 hours.';
                     }
            }
        }
    } else {
        
    $query mysql_query("SELECT * FROM servers WHERE ID = $id") or die(mysql_error());  
            while(
    $post mysql_fetch_assoc($query)){  
                
    $public_key $post['votifierKey'];  
                
    $server_ip $post['votifierIP'];
                
    $server_port $post['votifierPort'];
                
    $username $_POST['username'];
                
    $voterIP $_SERVER['REMOTE_ADDR'];
                
    $voterServerVote $post['ID'];
                
    $time time();
                
    $currentVotes $post['serverVotes'];
                
    $newVotes $currentVotes 1;
                    
    $today date("F j, Y, g:i a T");
                    
    $username preg_replace("/[^A-Za-z0-9_]+/",'',$username);
                        if(
    Votifier($public_key$server_ip$server_port$username)) {
                            
    $sql=mysql_query("INSERT INTO vote VALUES ('$username', '$voterIP', '$voterServerVote', '$time')");
                            
    $quer2=mysql_query("UPDATE servers SET serverVotes = '$newVotes' WHERE ID='$voterServerVote'");
                        } else {
                            echo 
    'There was an error!';
                        }
            } 
  2. #2
  3. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Location
    Oxford, United Kingdom
    Posts
    40
    Rep Power
    2
    You're using this to check if the username is in the DB.
    PHP Code:
    if($query mysql_query("SELECT * FROM vote WHERE voterServerVote = '$id' AND voterUsername = '$username'")) 
    The problem? This doesn't even check if the query was successful, let alone check if the query actually returned anything. What it actually does is check if assigning the return value of mysql_query to $query was successful, which it always will be.

    This is what you want to use, instead:

    PHP Code:
    $query mysql_query("SELECT * FROM vote WHERE voterServerVote = '".mysql_real_escape_string($id)."' AND voterUsername = '".mysql_real_escape_string($username)."'");

    if( 
    mysql_num_rows$query ) > )
    {
          
    //a username was found in the table
    }
    else
    {
         
    //a username was not found in the table

    Notice how I've used mysql_real_escape_string in your query. This prevents other users from posing an SQL injection attack on your site/app.

    If you're using the variables $id or $username in any other query, make sure you use mysql_real_escape_string($var).

    You shouldn't even be using the mysql_* ext as it's deprecated. I wrote an article about this. See here
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    85
    Rep Power
    2
    Originally Posted by navnav
    You're using this to check if the username is in the DB.
    PHP Code:
    if($query mysql_query("SELECT * FROM vote WHERE voterServerVote = '$id' AND voterUsername = '$username'")) 
    The problem? This doesn't even check if the query was successful, let alone check if the query actually returned anything. What it actually does is check if assigning the return value of mysql_query to $query was successful, which it always will be.

    This is what you want to use, instead:

    PHP Code:
    $query mysql_query("SELECT * FROM vote WHERE voterServerVote = '".mysql_real_escape_string($id)."' AND voterUsername = '".mysql_real_escape_string($username)."'");

    if( 
    mysql_num_rows$query ) > )
    {
          
    //a username was found in the table
    }
    else
    {
         
    //a username was not found in the table

    Notice how I've used mysql_real_escape_string in your query. This prevents other users from posing an SQL injection attack on your site/app.

    If you're using the variables $id or $username in any other query, make sure you use mysql_real_escape_string($var).

    You shouldn't even be using the mysql_* ext as it's deprecated. I wrote an article about this. See here
    Thanks. This worked.

IMN logo majestic logo threadwatch logo seochat tools logo