Page 1 of 1

help me!

Posted: Thu Jun 26, 2003 10:44 pm
by wugang_bob
Source code:
16)$query = "select * from userid where username=.$_REQUEST[username]";
17)$result = mysql_query($query);
18)$checknum = mysql_num_rows($result);

Error Message :
$PHP Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in e:\inetpub\wwwroot\yuan\adduser1.php on line 18

Thank you

Bob

Posted: Thu Jun 26, 2003 10:52 pm
by qartis

Code: Select all

$query = "SELECT * FROM `userid` WHERE username=".$_REQUESTїusername];

$result = mysql_query($query) or die("Error 43342");

$checknum = mysql_num_rows($result);

Make sure that the row `username` exists, and if necessary, try your query in phpMyAdmin. ("Error 43342" so that in large scripts, you can grep "43342" and it'll find the offending line)

Posted: Fri Jun 27, 2003 2:42 am
by volka
wugang_bob wrote:$query = "select * from userid where username=.$_REQUEST[username]";
qartis wrote:$query = "SELECT * FROM `userid` WHERE username=".$_REQUEST[username];
also note that qartis silently fixed part or your problem.

Code: Select all

// no concatenation with the string literal
$query = "select * from userid where username=$_REQUEST[username]";
or

Code: Select all

//concat two strings $query = "select * from userid where username=" . $_REQUEST['username']; // please note: $arr['key']
Now take a look at what mysql will receive, e.g.

Code: Select all

select * from userid where username=Nick
but mysql needs to get string literals quoted just as php does, something like

Code: Select all

select * from userid where username='Nick'
so they have to be added to the query-string (btw: your table really has the name userid, sounds more like a field to me but anyway)

Code: Select all

$query = "select * from userid where username='$_REQUEST[username]'";
Now think about what happens if a user sends a malicious request making $_REQUEST[username] something like ' OR username LIKE '%. The resulting query string would be

Code: Select all

select * from userid where username='' OR username LIKE '%'
outch! ;)
And this is one of the more harmless insertions...
But just like you can mark certain characters as content (not special characters) in php you can for mysql.
Take a look at http://php.net/mysql_escape_string
then try

Code: Select all

$query = "select * from userid where username='" . mysql_escape_string($_REQUEST['username']) . "'";
$result = mysql_query($query) or die(__FILE__ . '@' . __LINE__ . ': '. mysql_error()); // extending qartis' lookup