help me!

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
wugang_bob
Forum Newbie
Posts: 6
Joined: Thu Jun 26, 2003 8:20 pm

help me!

Post by wugang_bob »

Source code:
16)$query = "select * from userid where username=.$_REQUEST[username]";
17)$result = mysql_query($query);
18)$checknum = mysql_num_rows($result);

Error Message :
$PHP Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in e:\inetpub\wwwroot\yuan\adduser1.php on line 18

Thank you

Bob
qartis
Forum Contributor
Posts: 271
Joined: Sat Dec 14, 2002 4:43 pm
Location: BC, Canada
Contact:

Post by qartis »

Code: Select all

$query = "SELECT * FROM `userid` WHERE username=".$_REQUESTїusername];

$result = mysql_query($query) or die("Error 43342");

$checknum = mysql_num_rows($result);

Make sure that the row `username` exists, and if necessary, try your query in phpMyAdmin. ("Error 43342" so that in large scripts, you can grep "43342" and it'll find the offending line)
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

wugang_bob wrote:$query = "select * from userid where username=.$_REQUEST[username]";
qartis wrote:$query = "SELECT * FROM `userid` WHERE username=".$_REQUEST[username];
also note that qartis silently fixed part or your problem.

Code: Select all

// no concatenation with the string literal
$query = "select * from userid where username=$_REQUEST[username]";
or

Code: Select all

//concat two strings $query = "select * from userid where username=" . $_REQUEST['username']; // please note: $arr['key']
Now take a look at what mysql will receive, e.g.

Code: Select all

select * from userid where username=Nick
but mysql needs to get string literals quoted just as php does, something like

Code: Select all

select * from userid where username='Nick'
so they have to be added to the query-string (btw: your table really has the name userid, sounds more like a field to me but anyway)

Code: Select all

$query = "select * from userid where username='$_REQUEST[username]'";
Now think about what happens if a user sends a malicious request making $_REQUEST[username] something like ' OR username LIKE '%. The resulting query string would be

Code: Select all

select * from userid where username='' OR username LIKE '%'
outch! ;)
And this is one of the more harmless insertions...
But just like you can mark certain characters as content (not special characters) in php you can for mysql.
Take a look at http://php.net/mysql_escape_string
then try

Code: Select all

$query = "select * from userid where username='" . mysql_escape_string($_REQUEST['username']) . "'";
$result = mysql_query($query) or die(__FILE__ . '@' . __LINE__ . ': '. mysql_error()); // extending qartis' lookup
Post Reply