[RESOLVED] How do I make an else statment for this if statement?

Wales

If users rate it should say "Your rating has been posted" if users already rated it should say "You may only rate each picture once"

How do I had an else statement to the following?

if ($_POST['rate'] == 1)
{
        $sql_query = "INSERT INTO ratings(picture_id,ip,rating) VALUES(".$_GET['id'].",'".$_SERVER['REMOTE_ADDR']."',".$_POST['rating'].")";
        mysql_query($sql_query);
        $msg = "Your rating has been posted.";
}

I tried this and all it does is echo the the message on the page:

if ($_POST['rate'] == 1)
{
        $sql_query = "INSERT INTO ratings(picture_id,ip,rating) VALUES(".$_GET['id'].",'".$_SERVER['REMOTE_ADDR']."',".$_POST['rating'].")";
        mysql_query($sql_query);
        $msg = "Your rating has been posted.";
}
else {
   echo "You may only rate each picture once.";
}

greensweater

1 == true in PHP la-la land. Try $_POST['rate'] == '1' (with quotes) to make sure unsafe type casting isn't the problem.

BTW, user input in query strings... SQL injection blah blah...

bradgrafelman

As mentioned, you should never put user-supplied data directly into SQL queries else you're vulnerable to SQL injection attacks. Instead you should sanitize the data with a function such as [man]mysql_real_escape_string/man.

As to your problem, what's happening is that the message is displayed whenever the page is loaded because the if() statement will be evaluated even if the form wasn't submitted yet. Thus, you need to check if it's actually set first (which you should be doing on all user-supplied variables before you simply reference them in one of the superglobal arrays).

One way you could do this is to separate your script into two main parts:

if(isset($_POST['rate'])) {
    // they submitted "rate", do processing here
} else {
    // they didn't submit it - display form here
}

Wales

I did this:
if ($_POST['rate'] == '1' == true) and got error T_IS_EQUAL

They're radio buttons..I thought you can only do sql injections if you add text..? Like some kind of text box?

bradgrafelman

Wales wrote:
They're radio buttons..I thought you can only do sql injections if you add text..? Like some kind of text box?

Yes, normally, but who says someone who's attempting to do a SQL injection is going to bother using your nicely made form to throw data at your PHP script? That's why you need to escape each and every piece of user-supplied data ($COOKIE, $GET, $POST, and even some indexes of $SERVER) to be protected.

As for your problem, that if statement doesn't really make sense (semantically, anyway), and I think you misunderstood greensweater (who I believe misunderstood the error at hand).

As I said, the message is echo'ed on each page load since your code doesn't check to see if $_POST['rate'] was even submitted yet or not. I also posted an example solution.

If for whatever reason you didn't want to follow the normal method of dividing the script into parts, you could change the else to an elseif and use [man]isset/man to verify that the variable was set.

Wales

I think I explained it wrong. What I need help with is this.. when a user submits a rating which is this

if ($_POST['rate'] == 1)
{
        $sql_query = "INSERT INTO ratings(picture_id,ip,rating) VALUES(".$_GET['id'].",'".$_SERVER['REMOTE_ADDR']."',".$_POST['rating'].")";
        mysql_query($sql_query);
        $msg = "Your rating has been posted.";
}

that displays Your rating has been posted after the submission.

What I need help with is when a user tries to rate the same picture again I need something to say "You can only submit once" So do I do another if statement with an echo? How do I check this see if the user submitted the rating? I tried the == 1 ==true but I just got a parse error.

bradgrafelman

How are you tracking each "user" ? Are you simply saying no two ratings from the same IP address, or do you actually have some sort of user authentication system?

If you're just basing it off of IP address, I would say do this: create a UNIQUE index on the picture_id and ip columns (together - two columns in one index), ex.:

mysql> CREATE UNIQUE INDEX index1
    -> ON test (played, str);

That way, when you execute the SQL query, you can check for error message #1062 - duplicate entry. If that occurs, you say that they've already rated that picture. If the query was successful, then you output the posted message you have now.

Wales

Thanks I got the idea now.

greensweater

I misunderstood the question, and I was wrong about type safety in this instance -- PHP knows how to convert numeric strings correctly:

echo ("1" == 1)?"true ":"false ";
echo ("2" == 1)?"true ":"false ";

result:
true false

Ignore all that claptrap about equality. Should be as bradgrafelman said:
if (isset($_POST['rate'])) { ... }

re sql injection, what if we run...

$evil = urlencode("1,1,1);drop table ratings;select concat(");
file_get_contents("http://yoursite.com/yourform.php?id=".$evil);

must be past my bedtime...