Error

[Mememe]

 $selectRank = "SELECT rank FROM Members WHERE loginName='{$_SESSION['user']}'"; $_SESSION['rank'] = mysqli_query($con,$selectRank);  echo 'RANK: '.$_SESSION['rank'].'<br />';

That's just to find the rank of the member in the database, and output it. But then I get the error. But I get this error.

Catchable fatal error: Object of class mysqli_result could not be converted to string in C:\Program Files\EasyPHP 2.0b1\www\MEMEME2\index.php on line 44

I'm not sure about object-orientation or classes, so I don't know why how to fix this properly. Does anyone have any ideas?

[Lulzim]

Catchable fatal error: Object of class mysqli_result could not be converted to string in C:\Program Files\EasyPHP 2.0b1\www\MEMEME2\index.php on line 44

$_SESSION['rank'] does not contain anything that you could print. You just executed a query, now you have to fetch the results.Look at the examples on this page:http://www.php.net/manual/en/function.mysqli-fetch-row.php

[Mememe]

Those examples are confusing me. Could you put it in a simplier way?The whole idea of this is that when the user logs in through forms, the user is taken to the login page, and all the php code is executed there, and automatically goes to index.php There, there is a sidebar that is meant to sayWelcome to your control panel, [uSERNAME]Rank: [RANK. Example, Admin, Member]Member No: It works for the username with the same method, but it doesn't work for member no and rank.

[justsomeguy]

When you get a result from MySQL it doesn't give you a single value. When you select the rank, the return value of mysqli_query is not the rank itself, it is a result set that contains 1 row where that 1 row contains 1 field (the rank). You need to use mysqli_fetch_array or something similar to get the row out of the result set as an array, and then you can store the rank from the array in the session. Check the procedural examples on this page:http://www.php.net/manual/en/function.mysqli-fetch-array.php

[SpOrTsDuDe.Reese]

Are you making a website for a Clan? Such as Warcraft or Starcraft? I saw the rank part in the code.

[Mememe]

When you get a result from MySQL it doesn't give you a single value. When you select the rank, the return value of mysqli_query is not the rank itself, it is a result set that contains 1 row where that 1 row contains 1 field (the rank). You need to use mysqli_fetch_array or something similar to get the row out of the result set as an array, and then you can store the rank from the array in the session. Check the procedural examples on this page:http://www.php.net/manual/en/function.mysqli-fetch-array.php

Sweet. Thanks for the info. It's working now.

Are you making a website for a Clan? Such as Warcraft or Starcraft? I saw the rank part in the code.

No. Just the rank is for the members to have access to different parts, for example, the Admin can access the page where they can post news from and so on.I have another question, about regular expressions.When I was using $_GET['memberid'], I need to make sure it isn't something malicious, so I'll use regular expressions to check if it is meant to only be a number. I have:

if (!ereg("[0,9]{[0-9]}",$_GET['memberid']))  {   header('Location: index.php');  }   else......

But it does seem to work. Any other ways?

[justsomeguy]

If all you want to do is check if it's a number, you can do this:if (intval($_GET['memberid']) == $_GET['memberid'])The == operator just checks for value equivalence, so if the string representation and the integer representation have the same value then it's a number.

[Mememe]

It doesn't work. When I change the memberid in the url, it doesn't redirect to index.php. And I haven't outputted anything before it.

[justsomeguy]

Change the == to !=.

[Mememe]

Yeah, I tried that before, but even if I can the url to memberid=1adasd, then it still doesn't redirect.

[justsomeguy]

Hmm, that's worked for me in the past. You can use is_numeric instead:http://www.php.net/manual/en/function.is-numeric.php

[Mememe]

Hmm...I'll give it a shot. Oh, can SQL Injections be used if I'm only using SELECT?

[Synook]

Oh, can SQL Injections be used if I'm only using SELECT?

Depending on the nature of the SELECT, sometimes. A very simple example is a login script, with the records that contain matching usernames and passwords being pulled from a table and the number of rows being used to check whether the user exists. So, your query is all set up

SELECT id FROM user_table WHERE username = '{$_POST['username']}' AND password='{$_POST['password']}'

But, what happens if in your password field someone enters into the username field the value ' OR username LIKE '%' OR password LIKE '%? Then your query will end up looking like

SELECT id FROM user_table WHERE username = '' OR username LIKE '%' OR password LIKE '%' AND password=''

Then the hacker would be able to trick your script into thinking you were a valid user because you would be able to select rows from the user table.

[Mememe]

Depending on the nature of the SELECT, sometimes. A very simple example is a login script, with the records that contain matching usernames and passwords being pulled from a table and the number of rows being used to check whether the user exists. So, your query is all set up

SELECT id FROM user_table WHERE username = '{$_POST['username']}' AND password='{$_POST['password']}'

But, what happens if in your password field someone enters into the username field the value ' OR username LIKE '%' OR password LIKE '%? Then your query will end up looking like

SELECT id FROM user_table WHERE username = '' OR username LIKE '%' OR password LIKE '%' AND password=''

Then the hacker would be able to trick your script into thinking you were a valid user because you would be able to select rows from the user table.

Yeah, that's the kind of thing I have, can you give me some links or suggestions for stopping things like that?

[justsomeguy]

http://www.metatitan.com/php/16/protecting...-injection.html