开发者

Posting variable returns invalid

I am using a simple PHP script for the activation part of one of my applications. The applications posts one variable to the page (http://validate.zbrowntechnology.info/WebLock.php?method=validate). The variable is the serial number, posted as 'Serial'. Each time I post to this page, it returns Invalid. Here is the code:

<?php

$serial = $_POST['Serial'];
$method = $_GET['method'];

$con = mysql_connect("HOSTHERE", "USERHERE", "PASSHERE");
if(!$con) {
  die('Unable to connect to MySQL:  ' . mysql_error());
}


if($method == "validate") {

  mysql_select_db("zach_WebLock", $con);

  $query = "SELECT Key, Status FROM Validation WHERE Key='".mysql开发者_运维百科_real_escape_string($serial)."'";
  $result = mysql_query($query);
  if(mysql_num_rows($result) > 0) {
    echo "Valid";
  } else {
    echo "Invalid";
  }
} else {
  echo "Unkown Method";
}
?>

Here Is The Error From PHP,

PHP Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given


Right after the query use mysql_error() to see what happened. And Key is a bad choice for a column name because it's a reserved word in SQL. You can enclose it in `` to tell MySQL it's an identifier. Do some more debugging like this:

...
if (!mysql_select_db("zach_WebLock", $con)) die('mysql_select_db failed');

$query = "SELECT `Key`, Status FROM Validation WHERE `Key`='".mysql_real_escape_string($serial)."'";
print "query=$query<br>\n";
$result = mysql_query($query, $con);
print "error=" . mysql_error($con);
...


You're missing a closing parenthesis on this line:

if(mysql_num_rows($result) > 0 {

Is that missing in your code or just your question?

You may also want to add

if (!$result) {
    print mysql_error();
}

after your query


Try Like This
$query = "SELECT Key, Status FROM Validation WHERE Key='".$serial."'";


What happens if at the last line you add this?

else echo 'Unknown method';

What may be happening is that $_POST and $_GET are not getting populated, this is a setting in php.ini, if I remember correctly (search for "superglobals" in the php docs).

edit: also, you have a very bad security risk there, google "sql injection". Basically the problem is that you could get any SQL directly into your database, and if the php user has enough permissions it could mean that anyone can, for example, delete all the data from your Validation table. You should at least do something like this:

$query = "SELECT Key, Status FROM Validation WHERE Key='".addslashes($serial)."'";


It could be a typo but you are missing a closing parenthesis here:

if(mysql_num_rows($result) > 0 {
                              ^     

And you might have turned off you error reporting, in which case you get a blank page.


Try echoing $serial:

echo $serial;

And is it what you typed in form?

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜