views:

45

answers:

6

I am using a simple PHP script for the activation part of one of my applications. The applications posts one variable to the page (http://validate.zbrowntechnology.info/WebLock.php?method=validate). The variable is the serial number, posted as 'Serial'. Each time I post to this page, it returns Invalid. Here is the code:

<?php

$serial = $_POST['Serial'];
$method = $_GET['method'];

$con = mysql_connect("HOSTHERE", "USERHERE", "PASSHERE");
if(!$con) {
  die('Unable to connect to MySQL:  ' . mysql_error());
}


if($method == "validate") {

  mysql_select_db("zach_WebLock", $con);

  $query = "SELECT Key, Status FROM Validation WHERE Key='".mysql_real_escape_string($serial)."'";
  $result = mysql_query($query);
  if(mysql_num_rows($result) > 0) {
    echo "Valid";
  } else {
    echo "Invalid";
  }
} else {
  echo "Unkown Method";
}
?>

Here Is The Error From PHP

PHP Warning:  mysql_num_rows() expects parameter 1 to be resource, boolean given
A: 

Try Like This
$query = "SELECT Key, Status FROM Validation WHERE Key='".$serial."'";

vinothkumar
This doesn't make any difference. If you use double quotes variables in strings are substituted with their value.
captaintokyo
Thanks, now it returns something. But, no matter what key I POST, it returns invalid. The temp key is _2772_.
Zachary Brown
A: 

What happens if at the last line you add this?

else echo 'Unknown method';

What may be happening is that $_POST and $_GET are not getting populated, this is a setting in php.ini, if I remember correctly (search for "superglobals" in the php docs).

edit: also, you have a very bad security risk there, google "sql injection". Basically the problem is that you could get any SQL directly into your database, and if the php user has enough permissions it could mean that anyone can, for example, delete all the data from your Validation table. You should at least do something like this:

$query = "SELECT Key, Status FROM Validation WHERE Key='".addslashes($serial)."'";
cambraca
It still return _Invalid_.
Zachary Brown
Use mysql_real_escape_string() instead of addslashes()
mellowsoon
@mellowsoon, thanks! I totally forgot about SQL Injection.
Zachary Brown
+1  A: 

You're missing a closing parenthesis on this line:

if(mysql_num_rows($result) > 0 {

Is that missing in your code or just your question?

You may also want to add

if (!$result) {
    print mysql_error();
}

after your query

bemace
Sorry, corrected it.
Zachary Brown
Yes, well spotted!
captaintokyo
@Zach, does this mean it works now?
captaintokyo
No, now it just returns _Invalid_, no matter what I POST.
Zachary Brown
Does it make a difference if you pass `$con` to mysql_query?
bemace
@bemace, it still returns _Invalid_.
Zachary Brown
Did you try adding the `if (!$result)` check too?
bemace
@bemace, yes.. it still returned _Invalid_. I looked through the server logs and found the error from PHP. I appended it to my original post.
Zachary Brown
A: 

It could be a typo but you are missing a closing parenthesis here:

if(mysql_num_rows($result) > 0 {
                              ^     

And you might have turned off you error reporting, in which case you get a blank page.

codaddict
A: 

Try echoing $serial:

echo $serial;

And is it what you typed in form?

Winis
Yes, it returns the correct key.
Zachary Brown
Ok, but are you sure you chose the right database with a validation table? I know this is a stupid question, but that kind of things happen sometimes.
Winis
try echoing the mysql_real_escape_string($serial) value instead. Is it still the same?
mwotton
+3  A: 

Right after the query use mysql_error() to see what happened. And Key is a bad choice for a column name because it's a reserved word in SQL. You can enclose it in `` to tell MySQL it's an identifier. Do some more debugging like this:

...
if (!mysql_select_db("zach_WebLock", $con)) die('mysql_select_db failed');

$query = "SELECT `Key`, Status FROM Validation WHERE `Key`='".mysql_real_escape_string($serial)."'";
print "query=$query<br>\n";
$result = mysql_query($query, $con);
print "error=" . mysql_error($con);
...
gregjor
+1 for you! That is what the problem was! Thanks!
Zachary Brown
The Key column name? I hate when that happens. I took over a database recently that has a column named `date` in several tables.
gregjor
To be fair, some other people below told you to do the same thing 30 minutes ago ;)
mellowsoon