i'm making simple auction website , i'm trying keep user bidding on item if highest bidder. @ moment, however, code still allows highest bidder continue bidding , error saying mysql_fetch_array() expects paramater 1 resource. idea i'm going wrong? here code:
<html> <head></head> <body> <?php session_start(); require_once("dbconnect.inc"); $accountid=$_session['accountid']; $itemid=$_post['itemid']; $result = mysql_query("select accountid bidhistory biditem = '$itemid' order bidhistoryid desc"); while($row = mysql_fetch_array($result)){ // $checkaccountid = $row['accountid']; if($checkaccountid == $accountid){ /* compare current user */ echo "you highest bidder!"; } else { // can still bid $sql="insert bidhistory (accountid, biditemid) values ($accountid, $itemid)"; mysql_query(" update bidhistory set bidprice = bidprice + 1 biditemid = " . @mysql_escape_string($itemid)); $result=mysql_query($sql) or die("error in adding bid item: ".mysql_error()); } } echo "bid accepted!"; ?> <p><a href="listbiditems.php">back auction</a></p> </body> </html>
your query incorrect first select.
biditem =
should
biditemid
$result = mysql_query("select accountid bidhistory biditemid = '$itemid' order bidhistoryid desc"); you open sql injections code. user input , sql queries should separated. use prepared statements. mysql_ functions don't have support , outdated. should switch db drivers either pdo or mysqli should suffice.
one approach take casting itemid int (presuming int).
$itemid= (int)$_post['itemid']; then
$result = mysql_query("select accountid bidhistory biditemid = $itemid order bidhistoryid desc"); additional information on injection prevention.
how can prevent sql injection in php?
https://www.owasp.org/index.php/sql_injection_prevention_cheat_sheet
an example using pdo , query parameterized (http://php.net/manual/en/pdo.prepared-statements.php).
$parameterize = $dbh->prepare('select accountid bidhistory biditemid = ? order bidhistoryid desc'); $parameterize->execute(array($itemid)); the ? here placeholder user provided value.
Comments
Post a Comment