Jump to content

Error


Mememe
 Share

Recommended Posts

 $selectRank = "SELECT rank FROM Members WHERE loginName='{$_SESSION['user']}'"; $_SESSION['rank'] = mysqli_query($con,$selectRank);  echo 'RANK: '.$_SESSION['rank'].'<br />';

That's just to find the rank of the member in the database, and output it. But then I get the error. But I get this error.

Catchable fatal error: Object of class mysqli_result could not be converted to string in C:\Program Files\EasyPHP 2.0b1\www\MEMEME2\index.php on line 44
I'm not sure about object-orientation or classes, so I don't know why how to fix this properly. Does anyone have any ideas?
Link to comment
Share on other sites

Catchable fatal error: Object of class mysqli_result could not be converted to string in C:\Program Files\EasyPHP 2.0b1\www\MEMEME2\index.php on line 44
$_SESSION['rank'] does not contain anything that you could print. You just executed a query, now you have to fetch the results.Look at the examples on this page:http://www.php.net/manual/en/function.mysqli-fetch-row.php
Link to comment
Share on other sites

Those examples are confusing me. Could you put it in a simplier way?The whole idea of this is that when the user logs in through forms, the user is taken to the login page, and all the php code is executed there, and automatically goes to index.php There, there is a sidebar that is meant to sayWelcome to your control panel, [uSERNAME]Rank: [RANK. Example, Admin, Member]Member No: It works for the username with the same method, but it doesn't work for member no and rank.

Link to comment
Share on other sites

When you get a result from MySQL it doesn't give you a single value. When you select the rank, the return value of mysqli_query is not the rank itself, it is a result set that contains 1 row where that 1 row contains 1 field (the rank). You need to use mysqli_fetch_array or something similar to get the row out of the result set as an array, and then you can store the rank from the array in the session. Check the procedural examples on this page:http://www.php.net/manual/en/function.mysqli-fetch-array.php

Link to comment
Share on other sites

When you get a result from MySQL it doesn't give you a single value. When you select the rank, the return value of mysqli_query is not the rank itself, it is a result set that contains 1 row where that 1 row contains 1 field (the rank). You need to use mysqli_fetch_array or something similar to get the row out of the result set as an array, and then you can store the rank from the array in the session. Check the procedural examples on this page:http://www.php.net/manual/en/function.mysqli-fetch-array.php
Sweet. Thanks for the info. It's working now.
Are you making a website for a Clan? Such as Warcraft or Starcraft? I saw the rank part in the code.
No. Just the rank is for the members to have access to different parts, for example, the Admin can access the page where they can post news from and so on.I have another question, about regular expressions.When I was using $_GET['memberid'], I need to make sure it isn't something malicious, so I'll use regular expressions to check if it is meant to only be a number. I have:
if (!ereg("[0,9]{[0-9]}",$_GET['memberid']))  {   header('Location: index.php');  }   else......

But it does seem to work. Any other ways?

Link to comment
Share on other sites

If all you want to do is check if it's a number, you can do this:if (intval($_GET['memberid']) == $_GET['memberid'])The == operator just checks for value equivalence, so if the string representation and the integer representation have the same value then it's a number.

Link to comment
Share on other sites

Oh, can SQL Injections be used if I'm only using SELECT?
Depending on the nature of the SELECT, sometimes. A very simple example is a login script, with the records that contain matching usernames and passwords being pulled from a table and the number of rows being used to check whether the user exists. So, your query is all set up
SELECT id FROM user_table WHERE username = '{$_POST['username']}' AND password='{$_POST['password']}'

But, what happens if in your password field someone enters into the username field the value ' OR username LIKE '%' OR password LIKE '%? Then your query will end up looking like

SELECT id FROM user_table WHERE username = '' OR username LIKE '%' OR password LIKE '%' AND password=''

Then the hacker would be able to trick your script into thinking you were a valid user because you would be able to select rows from the user table.

Link to comment
Share on other sites

Depending on the nature of the SELECT, sometimes. A very simple example is a login script, with the records that contain matching usernames and passwords being pulled from a table and the number of rows being used to check whether the user exists. So, your query is all set up
SELECT id FROM user_table WHERE username = '{$_POST['username']}' AND password='{$_POST['password']}'

But, what happens if in your password field someone enters into the username field the value ' OR username LIKE '%' OR password LIKE '%? Then your query will end up looking like

SELECT id FROM user_table WHERE username = '' OR username LIKE '%' OR password LIKE '%' AND password=''

Then the hacker would be able to trick your script into thinking you were a valid user because you would be able to select rows from the user table.

Yeah, that's the kind of thing I have, can you give me some links or suggestions for stopping things like that?
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...