[PHP] MySQL problem

[Lorem Ipsum]

For all my sins, I'm using PHP to code a little pet project to try and get me to get back into coding, but I've stumbled at one of the first hurdles and can't identify what the problem is.

Basically, User A signs up to the service and receives a unique ID number and verification code, and for others to join User A's group, they have to enter both of these numbers when registering. The code for User A's registration works fine, and it all enters into the database wonderfully.

My problem is the registration of User B - I've set up a rudimentary check to see whether the verification code matches the verification assigned to the user ID in the database, and if it doesn't, it sends you back and tells you to fill out the registration form again. The only problem is that even if they ARE the same, it sends you back regardless.

The only thing I can imagine is wrong is that the code to check the database verification ID is somehow flawed, but I can't see where. Any help on this would be greatly appreciated! Code below:

$sid = $_POST['schoolid'];
$ver = $_POST['verificationid'];
$title = $_POST['title'];
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$pwd = $_POST['pwd1'];
$conf = $_POST['pwd2'];

// MySQL login data goes here

$con = mysql_connect($mysql_host,$mysql_user,$mysql_password);

$getsid = mysql_query(
"SELECT *
FROM schools
WHERE uid='$sid'");

while($row = mysql_fetch_array($getsid)) {
	$origver = $row['verification'];
	}

if ($pwd != $conf) {
		header('Location: register.php?error=1');
	}
elseif ($ver != $original) {
	header('Location: register.php?error=2');
	}

// Further, unimportant code

 

[1. Luftballon]

well, at a glance, there's a p glaring sql inj with the sid interpolation. please do not interpolate across interfaces unsafely.

(this has nothing to do with the bug you're looking at, but security holes should always take precedence, right)

(I would have links to go with that but I can't seem to motor functions enough to copy/paste on this thing, oops?)

 

[Lorem Ipsum]

I have no idea how to combat that, unfortunately - is it particularly difficult?

 

[Butterfree]

The variable you're reading from the database is called $origver; the variable you're comparing $ver to is called $original. Since PHP just creates new variables if a variable name it doesn't recognize comes up, even if you're trying to read from it which is a pretty strong hint you meant to reference something that exist, it's comparing it to undefined or null or whatever PHP's initial variable value is, which is always going to be false. That would be your problem.

But yes, do look into SQL injections - PHP can do prepared queries now with PDO, which takes care of the issue entirely, but running mysql_real_escape_string on it before you inject it into the query should technically also do the trick, in a hackish, really-bad-idea asking-for-trouble way (since if you were to ever forget it for any value you plug into a query at a later point, you're left completely vulnerable).

 

[1. Luftballon]

But yes, do look into SQL injections - PHP can do prepared queries now with PDO, which takes care of the issue entirely, but running mysql_real_escape_string on it before you inject it into the query should technically also do the trick, in a hackish, really-bad-idea asking-for-trouble way (since if you were to ever forget it for any value you plug into a query at a later point, you're left completely vulnerable).

by all of which I think we would agree we mean, don't do that. not unless you have no other choices.

relevant link, and pdo documentation.