i create a webservice and i call a function to confirm user, but every time i call the function, i receive "registration confirmed" message even if i send the wrong vercode, here is my function implementation, consider ckey is constant and not changable and vercode is changable for every user, i think the problem is about mysql instructions.
// RPC method 2 (confirm user)
function confuser($ckey, $vercode) {
$db = mysql_connect("localhost","root");
if(!$db){
return 'Error: cannot open the connection';
exit;
}
mysql_select_db('user_info');
$query = "select * from personal where vercode='".$vercode."' and ckey='".$ckey."' ";
$result = mysql_query($query, $db);
if($result){
return 'registration confirmed';
}
else{
return 'wrong verification , send it again!';
}
}
mysql_query() will return a result handle on ANY successful query. That includes queries that returned ZERO rows. A zero-row result is still a valid result, it just happens to have nothing in it. You will NOT get a "false" return on zero-row queries.
You need to check the number of rows found, e.g.
$result = mysql_query(...);
if (!$result) {
die(mysql_error()); // in case something did blow up
}
if (mysql_num_rows($result) == 0) {
... wrong verification ...
}
mysql_select_db('user_info') or die(mysql_error());
$query = "select * from personal where vercode='$vercode' and ckey='$ckey'";
$result = mysql_query($query, $db) or die(mysql_error());
if(mysql_num_rows($result) > 0)
return 'registration confirmed';
return 'wrong verification , send it again!';
Please note that you need to secure your variables $vercode and $ckey. mysql_real_escape_string() was used to be the escape method, but now mysql_real_escape_string(), and most of the functions you used will be deprecated starting php 5.5.0. Alternatively you can use PDO prepared statements
You can use something like this:
if(mysql_num_rows($result) > 0){
return 'registration confirmed';
}
else{
return 'wrong verification , send it again!';
}