Source code:
16)$query = "select * from userid where username=.$_REQUEST[username]";
17)$result = mysql_query($query);
18)$checknum = mysql_num_rows($result);
Error Message :
$PHP Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in e:\inetpub\wwwroot\yuan\adduser1.php on line 18
Thank you
Bob
help me!
Moderator: General Moderators
Code: Select all
$query = "SELECT * FROM `userid` WHERE username=".$_REQUESTїusername];
$result = mysql_query($query) or die("Error 43342");
$checknum = mysql_num_rows($result);Make sure that the row `username` exists, and if necessary, try your query in phpMyAdmin. ("Error 43342" so that in large scripts, you can grep "43342" and it'll find the offending line)
also note that qartis silently fixed part or your problem.wugang_bob wrote:$query = "select * from userid where username=.$_REQUEST[username]";qartis wrote:$query = "SELECT * FROM `userid` WHERE username=".$_REQUEST[username];
Code: Select all
// no concatenation with the string literal
$query = "select * from userid where username=$_REQUEST[username]";Code: Select all
//concat two strings $query = "select * from userid where username=" . $_REQUEST['username']; // please note: $arr['key']Code: Select all
select * from userid where username=NickCode: Select all
select * from userid where username='Nick'Code: Select all
$query = "select * from userid where username='$_REQUEST[username]'";Code: Select all
select * from userid where username='' OR username LIKE '%'And this is one of the more harmless insertions...
But just like you can mark certain characters as content (not special characters) in php you can for mysql.
Take a look at http://php.net/mysql_escape_string
then try
Code: Select all
$query = "select * from userid where username='" . mysql_escape_string($_REQUEST['username']) . "'";
$result = mysql_query($query) or die(__FILE__ . '@' . __LINE__ . ': '. mysql_error()); // extending qartis' lookup