PDA

View Full Version : read custom profile field.


MessiAz
06-20-2008, 08:00 PM
i coded a php file to read a member's custom profile field.
do you see something bad in my code? is it safe to upload this file to my forum ?


request
http://xxxxxxxxxxx.com/forum/test.php?user=Tester


$username = $_GET['user'];

$query = "SELECT userid FROM vb_user WHERE username='" . $username . "'";
$result = mysql_query($query);
if(mysql_num_rows($result) > 0)
{
$row = mysql_fetch_row($result);
$userid = $row[0];

$query = "SELECT usergroupid FROM vb_user WHERE userid='" . $userid . "'";
$result = mysql_query($query);

if(mysql_num_rows($result) > 0)
{
$row = mysql_fetch_row($result);
$group = $row[0];

$query = "SELECT field6 FROM vb_userfield WHERE userid='" . $userid . "'";
$result = mysql_query($query);

if(mysql_num_rows($result) > 0)
{
$row = mysql_fetch_row($result);
$serial = $row[0];

echo "Username: " . $username . "<br>";
echo "Userid: " . $userid . "<br>";
echo "group: " . $group . "<br>";
echo "programid: " . $serial . "<br>";
}

}

}

else {

echo "Username: Invalid";
}

MoT3rror
06-20-2008, 08:50 PM
$username = $_GET['user'];

/*
I suggest changing this query to, then you will only need 1 query then 3

SELECT user.userid, user.usergroupid, userfield.field6
FROM vb_user AS user
LEFT JOIN vb_userfield AS userfield ON (userfield.userid = user.userid)
WHERE user.username = '" . mysql_escape_string($username) . "'"
*/

//added mysql_escape_string to protect against sql injection
$query = "SELECT userid FROM vb_user WHERE username='" . mysql_escape_string($username) . "'";
$result = mysql_query($query);
if(mysql_num_rows($result) > 0)
{
$row = mysql_fetch_row($result);
//this should be userid not 0, you can var_dump for debug if you aren't getting the value you want
$userid = $row['userid'];

//why not just select usergroupid from your first query?
$query = "SELECT usergroupid FROM vb_user WHERE userid='" . $userid . "'";
$result = mysql_query($query);

if(mysql_num_rows($result) > 0)
{
$row = mysql_fetch_row($result);
$group = $row[0];

//you can use a left join with your first query to get this value also
$query = "SELECT field6 FROM vb_userfield WHERE userid='" . $userid . "'";
$result = mysql_query($query);

if(mysql_num_rows($result) > 0)
{
$row = mysql_fetch_row($result);
$serial = $row[0];

echo "Username: " . $username . "<br>";
echo "Userid: " . $userid . "<br>";
echo "group: " . $group . "<br>";
echo "programid: " . $serial . "<br>";
}

}

}

else {

echo "Username: Invalid";
}

Opserty
06-20-2008, 09:22 PM
As MoT3rror (https://vborg.vbsupport.ru/member.php?u=189949) suggested, you can cover everything in the single query so you have:

$username = $_GET['user'];

$sql = "SELECT user.userid, user.usergroupid, userfield.field6
FROM vb_user AS user
LEFT JOIN vb_userfield AS userfield ON (userfield.userid = user.userid)
WHERE user.username = '" . mysql_escape_string($username) . "' LIMIT 1";

$query = mysql_query($sql);
// Do our error checking first...
if(!$query)
{
echo 'Username: Invalid';
}
else
{
// Use mysql_fetch_assoc to return [field] => [value] array result
$data = mysql_fetch_assoc($query);

// Use single quotes if there are no variables in strings
echo 'Username: ' . $username .'<br>';
echo 'Userid: ' . $data['userid'] . '<br>';
echo 'Group: ' . $data['usergroupid'] . '<br>';
echo 'programid: ' . $data['field6'] . '<br>';
}
(Credit to MoT3rror for SQL)

Dismounted
06-21-2008, 03:35 AM
Using mysql_real_escape_string() is preferable to mysql_escape_string().