PHP code mysql query isnt working

Question

I created a mysql query to check if user is banned or not and if he's the system give him return false. But it wont get the information.

    public static function checkban($username)
{

    if(LOGINCHECKBAN == false)
    {
        $vusername = engine::securyt($username);
        $getIdBYname = "SELECT id FROM players WHERE username='".$vusername."' LIMIT 1";
        $getNOW = mysql_query($getIdBYname);
        $IDbyNAME = mysql_free_result($getIdBYname);
        $queryforban = mysql_query("SELECT * FROM bans WHERE data = '".$IDbyNAME."' LIMIT 1");
        $query = mysql_num_rows($queryforban);
        if($query == 0) {
            return true;
        } else {
            return false;
        } 
    }
}

Note: engine::securyt($username) is the form type to get his username when he try to login.

What can be wrong on my code? edit: I belive that "mysql_free_result" can be the problem, but im not sure what i need to put on replace of it.

[Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Jay Blanchard, Jan 11 '16 at 19:56
Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Jan 11 '16 at 19:56
@JayBlanchard im not using PHP 7, if I update to it I'll need to edit the whole code of site. Im using 5.3.0 — , Jan 11 '16 at 19:57
Even if you're not using 7 you need to be using prepared statements. — Jay Blanchard, Jan 11 '16 at 19:58
What error are you getting ? Have you made the connection properly ? There are number of things that might go wrong. Provide more information. — , Jan 11 '16 at 19:58
`mysql_free_result()` returns boolean value, not anything you can use later. I believe you're trying to use `$IDbyNAME = mysql_fetch_array($getNOW)['id']`, isn't it? — Rajdeep Paul, Jan 11 '16 at 19:59
Since you're not doing *any* error checking of your connection or your queries, looking in the error logs will give you a ton of info about what is going on. — Jay Blanchard, Jan 11 '16 at 20:02

score 1 · Answer 1 · answered Jan 11 '16 at 20:03

mysql_free_result() frees a mysql result set. It does not actually retrieve data from the result.

You will want something like:

$getIdBYname = "SELECT id FROM players WHERE username='".$vusername."' LIMIT 1";
$result = mysql_query($getIdBYname);
$row = mysql_fetch_assoc($result);
if($row) { //a user was found
    //$row['id'] is the found user
    $result = mysql_query("SELECT COUNT(*) cnt FROM bans WHERE data = '". $row['id'] ."' LIMIT 1");
    $row = mysql_fetch_assoc($result);
    return ($row && $row['cnt'] == 0);
} else {
    // no user; return something appropriate
}

However, if all you need is to determine is whether a particular user name is banned (and not actually get their user id), you can do that directly in the database with one query:

SELECT COUNT(*)
    FROM players p
    INNER JOIN bans b ON b.data = p.id
    WHERE p.username = $username;

WARNING: Note that using mysql_* functions is strongly discouraged for new code (since mysql_* has been removed in PHP 7), and directly including variables in your query strings is a pretty major security vulnerability. You should look into using prepared statements/parameterized queries with mysqli or PDO.

PHP code mysql query isnt working

1 Answers1