Page 1 of 1

comparing records

Posted: Tue Jun 05, 2007 11:19 pm
by pleigh
i have this code

Code: Select all

$sql = "SELECT * FROM hh_users2rights where UKey = '" . $_POST['employees'] . "' AND RKey = '" . $_POST['rights'] . "'";
							$rs = mysql_query($sql);
							
							if ($rs) {
								$usql = "select UKey, FirstName, LastName FROM buzz_users WHERE UKey = '" . $_POST['emp'] . "'";
								$uresult = mysql_query($usql) or die(mysql_error());
								
								if ($uresult) {
									
									while ($row = mysql_fetch_array($uresult, MYSQL_NUM)) {
										echo "<b><font color='red'>" . $row[1] . " " . $row[2] . " already has this right</font></b>";
									}
									
								} else {
									echo "system error";
								}
								
							}
what i want to do is that i want to compare and check if there is an existing record for this user, and if he does, then this script will execute. the problem is that it the first sql script evalutates to true, even if the the user does not have a record on the other field. how can i achieve that..pardom me, im really confused.thank you.

Posted: Wed Jun 06, 2007 12:48 am
by s.dot
Check if mysql_num_rows($rs) == 1

Posted: Wed Jun 06, 2007 1:42 am
by pleigh
hi, thanks, i did this

Code: Select all

$sql = "SELECT * FROM hh_users2rights where UKey = '" . $_POST['employees'] . "' AND RKey = '" . $_POST['rights'] . "'"; 
                                                        $rs = mysql_query($sql); 
                                                        
                                                        if ($rs) { 
                                                                $usql = "select UKey, FirstName, LastName FROM buzz_users WHERE UKey = '" . $_POST['emp'] . "'"; 
                                                                $uresult = mysql_query($usql) or die(mysql_error()); 
                                                                
                                                                if ($uresult) { 
                                                                        
                                                                        while ($row = mysql_fetch_array($uresult, MYSQL_NUM)) { 
                                                                                echo "<b><font color='red'>" . $row[1] . " " . $row[2] . " already has this right</font></b>"; 
                                                                        } 
                                                                        
                                                                } else { 
                                                                        echo "system error"; 
                                                                } 
                                                                
                                                        }
still the same problem, it does not filter the user..any hint on the problem?

Posted: Wed Jun 06, 2007 1:44 am
by John Cartwright
one another note, you have not escaped any of your incoming data, therefor leaving your queries vulnerable to SQL injection. Apply at minimum mysql_real_escape_string and trim, on all incoming data used in queries.
still the same problem, it does not filter the user..any hint on the problem?
[/quote]

You did not check mysql_num_rows as previously suggested :?