Jump to content

PHP and Mysql Fatal Error

snamakool123

So I am getting this fatal error.

neTzqjQ.jpg
 
and this is my code
		//Add user if not in DB		$SteamID = $_SESSION['LOGINDATA'];		$query = "SELECT EXISTS(SELECT 1 FROM `userdata` WHERE `steam_id`=$SteamID";		$adduserquery = $dbc->prepare($query);		$adduserquery->execute();				$adduserqueryresult = $adduserquery->fetch(PDO::FETCH_ASSOC);				echo "Result is: " . $adduserqueryresult;

Why is this error coming.

 

I like potatoes, if you don't then please just step aside and let me enjoy this potato.

Link to comment
Share on other sites

Link to post
Share on other sites

You need to use EXIST after a WHERE clause. There is also a missing ")".

Link to comment
Share on other sites

Link to post
Share on other sites

You need to use EXIST after a WHERE clause. There is also a missing ")".

Where is the ")" missing?

 

edit: I see it

I like potatoes, if you don't then please just step aside and let me enjoy this potato.

Link to comment
Share on other sites

Link to post
Share on other sites

You also have an SQL injection vulnerability in your system if the user manages to manipulate his Steam ID to an arbitrary value.

You are already using prepared statements why aren't you using bound parameters inside your query?

http://php.net/manual/ro/pdostatement.bindparam.php (you can also pass an array to execute to bind using the :value syntax).

 

EDIT: And you also have a potential XSS issue if you aren't escaping database output before displaying it to the user.

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×