<?php
$con = mysqli_connect('96.127.136.50:3306','stpclima_mnazdzal','xxxxxxx','stpclima_vexie');
if(mysqli_connect_errno()) {
echo "1";
exit();
}
$username = $_POST["username"];
$A_LVL1_EX1 = $_POST["A_LVL1_EX1"];
$namecheckquery = "SELECT username from users WHERE username = '$username' ";
$namecheck = mysqli_query($con, $namecheckquery) or die("2: Name check query failed");
if(mysqli_num_rows($namecheck) != 1) {
echo "5.1: Either no user with name or more than one";
exit();
}
$updatequery = "UPDATE users SET A_LVL1_EX1" . $A_LVL1_EX1 . "WHERE username = '" . $username . "';";
mysqli_query($con, $updatequery) or die ("7: Save query failed");
?>
For the debug log i’m getting this error
Debug.Log(“Save failed. Error #” + www.text); Save failed. Error #5.1: Either no user with name or more than one
It would probably help when you either return a more specific error or include the number of rows in the error text. That way you know if the issue was that there were none or more than one results.
Apart from that, I would stongly recommend you look up a recent tutorial how to do database stuff in php. What you do here:
"SELECT username from users WHERE username = '$username' ";
is extremely dangerous as this allows sql injection attacks. Look up prepared statements. In PHP I almost always use the PDO interface. Though apart from that you should verify that the post arguments actually end up in the php script. You should start by simply returning them in the string so you can see in Unity if the value you pass to php actually comes back correctly.
Well, we don’t know what’s inside your “$A_LVL1_EX1” variable. However your sql set statement requires an equal sign to do an actual assignment, like that:
"UPDATE users SET A_LVL1_EX1 = " . $A_LVL1_EX1 . " WHERE username = '" . $username . "';";
Also the where requires a space to separate from your variable value. You’re getting a bit sloppy here ^^.
Note that this sql query also suffers from a potential sql injection attack. Even if this is somehow only used internally I would never use an API like this, let alone release this to the www. Just to make that clear: I could just call your php API, set a “special” username and I could completely drop / erase your database, probe it for all kind of data or create new tables and use / abuse it for all sorts of things.
I know, but this database and the game is for educational purpose only and I’m not willing to distribute it at all… but yes it’s a best practice to learn the basics of how php works in Injection attacks.
Uhm, what was the result of my suggested change? You made two replies to my posts additional points but it seems you ignored what I said about your wrong SQL set statement:
Did you actually do that?
Well, the value of "A_LVL1_EX1" certainly is not a boolean since you read it from the _POST array which contains strings. That string may contain the value “true” or “false”. Though what I said was we don’t know what it contains. Technically that variable could contain the missing equal sign as well as the space at the end in which case the query would work. Without them the query is not valid SQL. Hopefully that’s not what you’re doing