Home/ Questions/Q 9266393
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-18T14:18:28+00:00

I had this issue fixed but as I was trying to fix SQL vulnerabilities

  • 0

I had this issue fixed but as I was trying to fix SQL vulnerabilities I created an error and started back from scratch, I’m stuck again at this issue and have absolutely no clue what to do. Please help.

<? 
ob_start();
include 'easygpt_config.php';
ob_end_clean();
if(isset($_POST['login'])){
$username= trim($_POST['username']);
$password = trim($_POST['password']);
if($username == NULL OR $password == NULL){
$final_report.="Please complete both fields";
$check_user_data = mysql_query("SELECT * FROM `members` WHERE `username` = '$username'") or die(mysql_error());
}else{
if(mysql_num_rows($check_user_data) == 0){ 
$final_report.="This username does not exist";
}else{
$get_user_data = mysql_fetch_array($check_user_data) or die("A MySQL error has occurred.<br />Your Query: " . $your_query . "<br /> Error: (" . mysql_errno() . ") " . mysql_error());
if($get_user_data['password'] == $password){
$start_idsess = $_SESSION['username'] = "".$get_user_data['username']."";
$start_passsess = $_SESSION['password'] = "".$get_user_data['password']."";
$final_report.="<meta http-equiv='Refresh' content='0; URL=http://www.google.com>";
}}}}

if(isset($_SESSION['username']) && isset($_SESSION['password'])){ 
    }

?>

The line that is being listed as causing the error is line 12 which consist of:

if(mysql_num_rows($check_user_data) == 0){
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    With just some standard indentation it becomes very clear what’s going on, as Explosion Pills already pointed out:

    <?
ob_start();
include 'easygpt_config.php';
ob_end_clean();
if (isset($_POST['login'])) {
    $username = trim($_POST['username']);
    $password = trim($_POST['password']);
    if ($username == NULL OR $password == NULL) {
        $final_report .= "Please complete both fields";
        $check_user_data = mysql_query("SELECT * FROM `members` WHERE `username` = '$username'") or die(mysql_error());
    } else {
        if (mysql_num_rows($check_user_data) == 0) {
            $final_report .= "This username does not exist";
        } else {
            $get_user_data = mysql_fetch_array($check_user_data) or die("A MySQL error has occurred.<br />Your Query: " . $your_query . "<br /> Error: (" . mysql_errno() . ") " . mysql_error());
            if ($get_user_data['password'] == $password) {
                $start_idsess   = $_SESSION['username'] = "" . $get_user_data['username'] . "";
                $start_passsess = $_SESSION['password'] = "" . $get_user_data['password'] . "";
                $final_report .= "<meta http-equiv='Refresh' content='0; URL=http://www.google.com>";
            }
        }
    }
}
if (isset($_SESSION['username']) && isset($_SESSION['password'])) {
}
?>

    You’re executing the query (and thus setting $check_user_data) in the if block, and testing it in the else block.

    Want to avoid this kind of mess in the future? Indent your code manually or get one of the bazillion code editors that can handle that chore for you. Or use one of the many online prettyprinting services (like [beta.phpformatter.com])(http://beta.phpformatter.com/).

    And last but not least, stop using the deprecated mysql_ functions. Deprecated, among other things means you should not use them in new code.

    I’d also suggest to forget about the more modern mysqli_ successor and skip right away to PDO – it’s a modern, well designed API, usable with several database engines and last but not least, it makes working with prepared statements a breeze, and prepared statements are probably the least expensive yet most effective defense against sql injection.

    • 0