-3

I am creating an app and I want that the buttons appear based on your $job. There are 4 jobs, which are all in mysql databases:

  1. student
  2. teacher
  3. staff
  4. principal,

The signup button can only be seen by teacher, staff and principal.

But It doesn't work.

Here is my code:

<?php
session_start();

include("connection.php");
include("functions.php");


$user_data = check_login($con);
if ($_SERVER['REQUEST_METHOD'] == "POST") {
    $job = $_POST['job'];

    $query = "select * from users where job = '$job' limit 1";
    $result = mysqli_query($con, $query);
    $user_job = mysqli_fetch_assoc($result);

    if (in_array($user_job, ['teacher', 'staff', 'principal'])) {
?>
    <body>
        <a href="signup.php">
            <button>Signup Student</button>
        </a>
    </body>
<?php
    }
}
?>

<!DOCTYPE html>
<html>
<title>
    NetPlat
</title>

<head>

</head>

<body>


    <a href="login.php">
        <button id="button">Logout</button>
    </a><br><br>



</body>

</html>

I've also done this:

if ($_SERVER['REQUEST_METHOD'] == "POST") {
$job = mysqli_real_escape_string($con, $_POST['job']);

$user_job = $con->prepare("SELECT * FROM `users` WHERE job = '$job'");
$user_job->bind_param('s', $job); // 's' specifies the variable type => 'string'
$user_job->execute();

$result = $user_job->get_result();
while ($row = $result->fetch_assoc()) {
    if(in_array($user_job, ['teacher', 'staff', 'principal'])){

?>

jasagregoric
  • 3
  • 3
  • 2
    Check the content of `$user_job` after the query. You'll find it is an array. – KIKO Software May 15 '22 at 10:21
  • 2
    Your code is vulnerable to SQL injection because of the POST variable being used directly in the SQL. You should **always** use a prepared statement when using user supplied data – Professor Abronsius May 15 '22 at 10:22
  • And how do I do that? – jasagregoric May 15 '22 at 10:23
  • See https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php for details – ADyson May 15 '22 at 10:32
  • P.s. regarding your question, see https://meta.stackexchange.com/questions/147616/what-do-you-mean-it-doesnt-work – ADyson May 15 '22 at 10:34
  • Anyway your in_array would likely be better implemented as a `WHERE...IN` clause in the SQL – ADyson May 15 '22 at 10:36
  • Would this work to protect my code? `$job = mysqli_real_escape_string($con, $_POST['job']);` – jasagregoric May 15 '22 at 10:52
  • 1
    No not properly. Read the link I gave you. – ADyson May 15 '22 at 10:52
  • The obsolete `mysqli_real_escape_string` function is not needed when you're using parameters and prepared statements. In fact it could even be harmful occasionally – ADyson May 15 '22 at 12:14
  • Anyway, you still haven't explained your actual problem...what exactly is the issue? "Not working" doesn't tell us anything useful about the situation. What debugging have you done? And why not just use WHERE....IN as I suggested earlier? It's likely to be more efficient as well as less code to write – ADyson May 15 '22 at 12:17
  • My problem is that when i put this parameter `if (in_array($user_job, ['teacher', 'staff', 'principal']))` it hides my button `if (in_array($user_job, ['teacher', 'staff', 'principal'])) { ?> – jasagregoric May 15 '22 at 12:20
  • OK. So have you checked the exact contents of $user_job, since it seemingly doesn't match what you expected? Like I said, you need to do some basic debugging before you'll get anywhere. We cannot see your data or execute the code for you – ADyson May 15 '22 at 12:22
  • Ok i think i found the problem in my database i created 3 accounts 1. jasagregoric (job = 'staff'), 2. emmastone (job = 'teacher') and 3. kevismith (job = 'student'). When I display 1st and 2nd account it shows me theirs job but when i display kevinsmith's job it shows me as if he is staff – jasagregoric May 15 '22 at 12:32
  • BTW `job = '$job'` in your latest sql should be `job = ?` - you forgot to switch the injected variable for a placeholder :-) – ADyson May 15 '22 at 13:44
  • `When I display 1st and 2nd account it shows me theirs job but when i display kevinsmith's job it shows me as if he is staff`...OK. I can't see where you're displaying that data. It's also not obvious how it related to your main question, if I'm honest. Try editing your post to make a more complete description of the issue, then then info is not scattered through the comments – ADyson May 15 '22 at 13:46
  • 1
    **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/32391315) – Dharman May 15 '22 at 23:00

0 Answers0