On my website I have a page that can only be viewed if the persons details are in a table called Members, the values are posted from a form in the previous page. This is the original code I had and it worked fine:
$query = "SELECT * FROM Members WHERE firstname='" . $firstname . "' and surname='" .
$surname. "'";
$result = mysql_query($query);
$rows = mysql_num_rows($result);
if ($rows == 1)
{
//user continues loading page
}
else
{
header ('location: signup.html'); //user is redirected to sign up page
}
After some changes to the site, I now require the same user to have to have paid=’TRUE’ in the Members table to continue loading the page. This is the code I came up with:
$query = "SELECT * FROM Members WHERE firstname='" . $firstname . "' and surname='" .
$surname. "'";
$result = mysql_query($query);
$rows = mysql_num_rows($result);
$query = "SELECT paid FROM Members WHERE firstname='" . $firstname . "' and surname='" .
$surname. "'";
$result = mysql_query($query);
$paid = mysql_num_rows($result);
if ($rows == 1 && $paid=='TRUE')
{
//user continues loading page
}
else
{
header ('location: signup.html'); //user is redirected to sign up page
}
With this new code, even if the user has paid it re-directs them to the signup page… Have I gone about this the wrong way?
You check $paid against ‘TRUE’ but fill it with mysql_num_rows.
Try:
instead.
Plus, since I can not see if you escape your strings properly, please take note that $firstname and $surname should be escaped/verified.
Anyway you can skip the second mysql_query and use: