page will not die() if the person is banned php mysql

Question

<?php
include('session.php');
?>
<?php 
require_once('mysql_connect.php');
$query2 ="SELECT  id, username, banned FROM login WHERE username ='$login_session'";
$result2 = mysql_query($query2) OR die($mysql_error());
$row = mysql_num_rows($result2);

if($row['banned'] == 1) {
die();
}

?>

Session.php

<?php
// Establishing Connection with Server by passing server_name, user_id and password as a parameter
$connection = mysql_connect("localhost", "", "");
// Selecting Database
$db = mysql_select_db("", $connection);
session_start();// Starting Session
// Storing Session
$user_check=$_SESSION['login_user'];
// SQL Query To Fetch Complete Information Of User
$ses_sql=mysql_query("select username from login where username='$user_check'", $connection);
$row = mysql_fetch_assoc($ses_sql);
$login_session =$row['username'];
if(!isset($login_session)){
mysql_close($connection); // Closing Connection
header('Location: login.php'); // Redirecting To Home Page
}
?>

As you can see , im trying to stop people who are banned from loading profile.php

it doesnt stop the profile page from loading

Answer 1

thanks fred, that worked – KIXEYE

make it to an answer, ill mark as answered as soon as i can – KIXEYE

As per the OP's wish:

You're using the wrong function for $row. Either use one that will fetch a row as an array, or change if($row['banned'] == 1) to if($row == 1) to work with mysql_num_rows.

---

Footnotes:

Your present code is open to SQL injection. Use mysqli with prepared statements, or PDO with prepared statements, they're much safer.

---

Example pulled from https://stackoverflow.com/a/6620252/

$user = "bob";
$user = mysql_real_escape_string($user);
$result = mysql_query("SELECT COUNT(*) AS num_rows FROM my_table WHERE username='{$user}' LIMIT 1;");
$row = mysql_fetch_array($result);
if($row["num_rows"] > 0){
   //user exists
}

---

Edit:

If your banned row contains 1 or 0 to check if they're banned, then add another parameter to your where clause. I.e.: WHERE username ='$login_session' AND banned !=1 if banned column is an int type. If not, wrap 1 in quotes.

• This translates to WHERE username exists and is 'John' and banned does NOT equal 1. Or make it 0, it's your choice.

Answer 2

mysql_num_rows() returns a number of rows, not the rows themselves.

You should use mysql_fetch_assoc() or similar function.

Answer 3

Then why don't you just fetch user who are not banned:

$ses_sql = mysql_query("SELECT username FROM login WHERE username='$user_check' AND banned <> 1",$connection);
$numofresult = mysql_num_rows($ses_sql);

Then check if it has a result:

if($numofresult > 0){
   /* SUCCESS */
}
else {
   /* BANNED */
}

To compromise SQL injections, use mysql_real_escape_string() function.

$user = mysql_real_escape_string($username,$connection);

But a better recommendation is to use mysqli_* prepared statement or PDO.

if($stmt = $connection->prepare("SELECT username FROM login WHERE username='$user_check' AND banned <> 1")){
  $stmt->execute();
  $stmt->store_result();
  $numofresult = $stmt->num_rows;
  $stmt->close();
}