How can i make this mysql query work without getting empty results?

StackOverflow https://stackoverflow.com/questions/7060162

  •  14-12-2020
  •  | 
  •  

Question

I am having trouble getting teh results i want from this mysql query. And i think the trouble lies in this line of code:

$group="SELECT * from mybb_users where usergroup AND additionalgroups = '$usergroup'";

because i noticed that the additionalgroups column in the database has more than one value separated by a comma(,) whereas the usergroup only has ONE value. Here is a screenshot:

here is an image: http://i.imgur.com/UTbmX.jpg

The entire code works perfect if i remove the additionalgroups column from the code and only check the usergroup column, but that is not what i want :( Below is the entire code:

// Connect to server and select databse.
mysql_connect("$db_host", "$db_user", "$db_pass")or die("cannot connect to mysql"); 
mysql_select_db("$db_name")or die("cannot select DB");

$id=$_GET['lid'];     // Get lid from URL
$usergroup =$_GET['game'];       // Get the usergroup/game from the URL

// Check to see if the user is a VIP Member and fetch them.
$group="SELECT * from mybb_users where usergroup AND additionalgroups = '$usergroup'";
$group2=mysql_query($group) or die("Could not get users");
while($raw=mysql_fetch_array($group2))
{
// Fetch all UserIDs of the VIP members and match them with the UfID (in the userfields table)
$userid = $raw['uid'];
$group3="SELECT * from mybb_userfields where ufid = '$userid'";
$group4=mysql_query($group3) or die("Could not match userid");
while($raw=mysql_fetch_array($group4))
{
// assigns a lid from the vip members to the variable $lid
$lid = $raw['fid7'];
// Display the hash of the lid if it matches with the lid from the URL
if($lid == '')
{

}
elseif($lid == $id)
{
echo "[key]{$lid};";
}
else
{
}
}

}
Was it helpful?

Solution

I'm not sure about where usergroup AND ... - is usergroup a DB field? Anyway, you could do it with

$group="SELECT * from mybb_users where usergroup AND FIND_IN_SET('$usergroup', additionalgroups) != 0;

But that is not enough yet. AFAICS you are vulnerable to SQL injection. Please use mysql_real_escape() at the right places, namely everywhere you put variables with user input into a SQL query.

OTHER TIPS

On way to check is with the FIND_IN_SET function.

SELECT * from mybb_users where usergroup AND FIND_IN_SET('$usergroup', additionalgroups) != 0
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top