0

I have a PHP statment that $_GET's input from a html page and uses that input(customerID) to search through the database for appropriate results. I have that working fine. What i want to do is, if the user enters an invalid customerID, i want the system to give a message and terminate, else if the user input is correct, i want it to be business as usual.

$id = $_GET['customerID'];
$conn = mysql_connect("localhost", "user", "password"); 
mysql_select_db("databse", $conn) 
or die ('Database not found ' . mysql_error() ); 
$sql = "SELECT .......
        WHERE order.customerID = $id
        ORDER BY order.orderDate ASC";

if($id != 'order.customerID'){
die('Invalid Customer ID entered');}
else
{   
    $rs = mysql_query($sql, $conn) 
     or die ('Problem with query' . mysql_error()); 
}

Thats my php code. When i run that, if i enter a invalid ID, it will show me 'Invalid Customer ID entered' but when i enter a vaild customerID, it still shows me that error message. Obviously im making a mistake which im not seeing, any help would be appreciated.

Improve this question
2
  • 2
    Do. Not. Use. mysql_query. It's deprecated, and has been for a while now. Whoever taught you to use it should have their membership card revoked. Commented May 4, 2014 at 5:59
  • its for a uni assignment, i cant really change that as i will lose marks @cHao Commented May 4, 2014 at 6:59

2 Answers 2

Reset to default
2

First, never trust data from the user, so patch this:

$id = $_GET['customerID'];

With

$id = mysql_real_escape_string($_GET['customerID']);

It sanitizes your value (although it's not completely safe).

For your main problem,

if($id != 'order.customerID'){

order.customerID is just a string. The correct way to check would be to execute the query first, then check if any rows have returned using mysql_num_rows(), if not display an error message else carry on.

$rs = mysql_query($sql, $conn)  or die ('Problem with query' . mysql_error());
if($rs && mysql_num_rows($rs)>0){ 
  //query success and rows returned
}
else
{
  die('Invalid Customer ID entered');
}

Note:

Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO, or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

thanks for that, i was trying to use the if statement like its used in javascript
0

You need to change your logic a bit. First, you need to check if the customerID exists (probably in a "customers" table?) and then proceed with your query.

For example:

$customerID = mysql_real_escape_string( $_GET['customerID'] ); //fixes sql injection 

$queryString = "SELECT * FROM customers WHERE customerID = {$customerID} LIMIT 1";

$query = mysql_query( $queryString ) or die( mysql_error() );

if (mysql_num_rows( $query ) == 0) {
    die( 'Invalid Customer ID entered' );
}

// from here onward you may proceed with your previous statement.
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.