Hi i am trying to check if the IP is in the blocked list or not.
I am using SQLite3 in PHP. my problem is when trying to check with the function bellow it returns always true.
function isBlocked($ip){
global $pdo;
$check = $pdo->prepare("SELECT * FROM blockedUsers WHERE ip='".$ip."'");
$check->execute();
if($check->rowCount() >= 1){
return true;
}else{
return false;
}
}
Use SELECT COUNT(*) rather than SELECT *, since you don't care about the row data, just the count.
Also, use a parameter rather than substituting the variable into the SQL.
function isBlocked($ip){
global $pdo;
$check = $pdo->prepare("SELECT COUNT(*) AS count FROM blockedUsers WHERE ip=:ip");
$check->execute([':ip' => $ip]);
$row = $check->fetch(PDO::FETCH_ASSOC);
return $row['count'] > 0;
}
Related
I created a mysql query to check if user is banned or not and if he's the system give him return false. But it wont get the information.
public static function checkban($username)
{
if(LOGINCHECKBAN == false)
{
$vusername = engine::securyt($username);
$getIdBYname = "SELECT id FROM players WHERE username='".$vusername."' LIMIT 1";
$getNOW = mysql_query($getIdBYname);
$IDbyNAME = mysql_free_result($getIdBYname);
$queryforban = mysql_query("SELECT * FROM bans WHERE data = '".$IDbyNAME."' LIMIT 1");
$query = mysql_num_rows($queryforban);
if($query == 0) {
return true;
} else {
return false;
}
}
}
Note: engine::securyt($username) is the form type to get his username when he try to login.
What can be wrong on my code?
edit: I belive that "mysql_free_result" can be the problem, but im not sure what i need to put on replace of it.
mysql_free_result() frees a mysql result set. It does not actually retrieve data from the result.
You will want something like:
$getIdBYname = "SELECT id FROM players WHERE username='".$vusername."' LIMIT 1";
$result = mysql_query($getIdBYname);
$row = mysql_fetch_assoc($result);
if($row) { //a user was found
//$row['id'] is the found user
$result = mysql_query("SELECT COUNT(*) cnt FROM bans WHERE data = '". $row['id'] ."' LIMIT 1");
$row = mysql_fetch_assoc($result);
return ($row && $row['cnt'] == 0);
} else {
// no user; return something appropriate
}
However, if all you need is to determine is whether a particular user name is banned (and not actually get their user id), you can do that directly in the database with one query:
SELECT COUNT(*)
FROM players p
INNER JOIN bans b ON b.data = p.id
WHERE p.username = $username;
WARNING: Note that using mysql_* functions is strongly discouraged for new code (since mysql_* has been removed in PHP 7), and directly including variables in your query strings is a pretty major security vulnerability. You should look into using prepared statements/parameterized queries with mysqli or PDO.
I'm not sure if this is doable or not, and I'm not entirely sure how to search for this. I have several dynamic web pages that all link to the same MySQL database table, but pull different results. So for example, a dynamic web page with ID = 5 will run a query like:
SELECT * FROM myTable WHERE category1 = 1
The web page where ID = 7 will run:
SELECT * FROM myTable WHERE category2 = 1
And so on. The queries are all grabbing the data from the same table, but the WHERE clause is different for each query - its not looking at the same column. The page with ID 7 should ONLY be returning results where category2 = 1, and ignoring the results that would be returned for the page with id = 5. My website has about 20 different pages/queries like this which is why I'm looking to see if it can be done in a function instead.
Is there a way I can put that into a function, and if so, how would I set up the parameters correctly? Or is this an instance where I will have to just write out all the queries separately on each page?
function find_results(what to put here?) {
global $connection;
$query = "SELECT * FROM myTable WHERE (how to code this part?)";
$result = mysqli_query($connection, $query);
confirm_query ($result);
return $result;
}
You would add the necessary parameters to your functions argument list, then provide the values at runtime.
function find_results($column, $value)
{
global $connection;
$query = "SELECT * FROM myTable WHERE {$column} = $value";
$result = mysqli_query($connection, $query);
confirm_query ($result);
return $result;
}
//Usage:
$result = find_results("category2", 1)
If the value you are returning records by ever ends up being a string make sure your wrap $value in single quotes.
if its a constant relation between pageId and categoryId, you can just create an array to hold it indexed by pageId like:
$pageIdToCategoryMapping = [
1 => 'cateogory1',
2 => 'category5',
...
]
and then just use it to pass data to your function like
find_results($pageIdToCategoryMapping[$pageId])
function find_results($category) {
(...)
$query = "SELECT * FROM myTable WHERE ({$category} = 1)";
(...)
}
I have been using class and object methods for mysql operations. source code available in github
I would recommend you to pass array as an argument and can return query or result as array in format you required. And this function will work any number or condition
<?php
$arg['db']="database";
$arg['tabe']="table";
$arg['search']['id1']="id1";
$arg['search']['id2']="id2";
//
function searchAndReturnResultAsArray($arg)
{
$return = NULL;
$query="SELECT * FROM ".$arg['table'];
$flag=false;
foreach($arg['search'] as $key=>$value)
{
if($flag)
$query.=" AND ";
else
$flag=true;
$query.= $key." = '".$value."' ";
}
$row = mysqli_num_rows($query);
$field = mysqli_fetch_object($query);
if($row >= 1)
{
while($data = mysqli_fetch_array())
{
$return[] = $data;
}
}
return $return;
}
?>
Or alternatively you can just return query once it is ready.
I am confused as to why this always, even when I know it should be 0, returns 1.
function check_user_data($username, $password) {
global $db;
$query = "SELECT COUNT(*) FROM users WHERE username='$username' AND password='$password'";
$results = $db->query($query);
$results = $results->fetchColumn();
echo count($results);
because you are selecting a count in your query which returns a single number and then you are counting that single number with count($results)
Why does fetchColumn() always return 1?
It doesn't.
Check your data and code.
I have a PHP function that looks like this:
function count_creatives() {
global $db;
$q = "SELECT COUNT(DISTINCT creative) FROM actions";
return $db->query($q);
}
The $db variable contains a PDO object and is set correctly (used successfully elsewhere).
When I try to assign the result of this function to a variable, it only contains the querystring (no results).
Code I'm Running:
$count = count_creatives();
echo $count;
Output:
PDOStatement Object ( [queryString] => SELECT COUNT(DISTINCT creative) FROM actions )
Any idea why I'm not getting the actual count (e.g. 2, 3, 100)?
You're returning the resource object from your function, not the field value. You need to fetch the result and then return that. Please use the following:
function count_creatives()
{
global $db;
$q = "SELECT COUNT(DISTINCT creative) AS `total` FROM actions";
$result = $db->query($q);
$actions = $result->fetchObject();
return $actions->total;
}
PDO::query() returns a PDOStatement object, or FALSE on failure. You need to do something like,
function count_creatives() {
global $db;
$q = "SELECT COUNT(DISTINCT creative) FROM actions";
$query = $db->query($q);
return $query->fetch(PDO::FETCH_NUM)[0];
}
I am trying to check if a name exists. Query should return 0 because the field is empty but returning 1 instead. help.
function profile_exists($user) { //checks that profile exists
$profile_ex = mysql_query(
"SELECT COUNT(profile_name) FROM user_info WHERE id = '{$user}'");
if(!confirm_query($profile_ex)) {
return false;
} else {
if (mysql_result($profile_ex, 0) == 1) {
echo mysql_result($profile_ex, 0);
exit;
return true;
} else {
return false;
}
}
}
You have one row instead of 0 rows because COUNT(*) returns one row of data, the count which has the value of 0 in this case.
You will need to run the query and then check the value of count.
Example:
$result = mysql_query("SELECT COUNT(*) AS count FROM ...");
$row = mysql_fetch_assoc($result);
if( $row['count'] == 0){
return False;
}else{
return True;
}
Your syntax looks abit complex, try this instead:
$profile_ex = mysql_query("SELECT * FROM user_info WHERE id = '$user'");
$profile_ex = mysql_num_rows($profile_ex);
if ( $profile_ex > 0 ) {
echo "exists"; } else {
echo "doesn't exist";
}
Hope this helps
You should be using mysqli_ or PDO with prepared statements to prevent against SQL injection.
It will always return 1 because you are using an aggregate function (COUNT). Select a column from your table instead:
SELECT profile_name FROM ...
However, if you are only interested in checking whether the profile exists, use mysqli_num_rows. If you wish to check whether the profile exists and return data, use mysqli_fetch_assoc.