Got an error from mysqli_num_rows when trying to do a query.

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Jazztronik
Forum Newbie
Posts: 3
Joined: Fri Nov 04, 2005 5:34 am

Got an error from mysqli_num_rows when trying to do a query.

Post by Jazztronik »

Could someone please help me find out why I get this error?:

Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, boolean given in c:\SERVER\htdocs....

here is the code. It just tries to connect to a database:

Code: Select all

<?php
session_start(); 
 
if (isset($_POST['userid']) && isset($_POST['password'])) { 
        // User sent log in through form

        // Connection to database:
        @$db = mysqli_connect('localhost', 'authenticator', 'passAthenticator', 'authentication'); // authenticator with pass='passAuthenticator' has been granted select privilege on DB 'authentication'. It's not a real user, but just an automatic registrator.
         
        // Connection error?:
        if (mysqli_connect_errno()) { 
            // Error trying to acess database 
            echo 'There was an error trying to access database. Please try later.<br />'; 
            exit; 
        } 
         
        // Short names for form superglobal vars: 
        $userid = $_POST['userid']; 
        $password = $_POST['password']; 

        // Query: 
        $myQuery = "select * from authorized_users where name=".$userid." and password=".$password; 
        $result = mysqli_query($db, $myQuery); 
        $num_results = mysqli_num_rows($result); // THIS LINE PRODUCES THE ERROR
         
        // Did we get any record containing valid userid and password? 
        if ($num_results > 0) { 
            // We got one.
            // Creating session var:
            $_SESSION['valid_user'] = $userid; 
        } 
        // Finish database connection:                 
        mysqli_free_result($result); // THIS LINE PRODUCES ERROR 'CAUSE USES VAR $result TOO
        mysqli_close($db); 
    } 

?>
Please I need your help!
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

http://www.php.net/mysqli_query
Returns TRUE on success or FALSE on failure. For SELECT, SHOW, DESCRIBE or EXPLAIN mysqli_query() will return a result object.
Btw, your query probably needs quotes around $userid and $password.. And you need to sanitize your input instead of using it directly...

Code: Select all

$userid = mysqli_real_escape_string($db, $_POST['userid']);
$password = msyqli_real_escape_string($db, $_POST['password']);

$query = "SELECT * FROM authorized_users WHERE name='$userid' AND password='$password'";
$result = mysqli_query($db, $query);
if ($result === FALSE)
{
   echo "houston we got a problem: " . mysqli_error($db) . "<br/>";
}
else
{
   $num_results = mysqli_num_rows($result);
}
TJ
Forum Newbie
Posts: 20
Joined: Thu Nov 03, 2005 10:22 pm
Location: Nottingham, UK

Post by TJ »

Try checking that mysqli_query() has returned a result.

Code: Select all

// Query:
$myQuery = "select * from authorized_users where name=".$userid." and password=".$password;
if($result = mysqli_query($db, $myQuery))
  $num_results = mysqli_num_rows($result); // THIS LINE PRODUCES THE ERROR
else
  echo 'error!!';
Jazztronik
Forum Newbie
Posts: 3
Joined: Fri Nov 04, 2005 5:34 am

Post by Jazztronik »

Thanks a lot timvw!! :D

Now I get it working! 8)

However, may you please explain the use of mysqli_real_escape_string()?
, and why must I use simple quotes (or single quotes, what you call them) with $userid and $password inside the query string? If I'm not wrong '$password' in PHP is interpreted as a string itself, and "$password" (with double quotes) is interpreted as a variable containing a value.

I'm a little confused about this all. It would be great if you told me the explanation of this paradoxical use of single quotes.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Code: Select all

$userid = "mike";
$password = "test";
$myQuery = "select * from authorized_users where name=".$userid." and password=".$password;
This results in the string: select * from authorized_users where name=mike and password=test
The problem is that you need to use quotes around the values of a string type..

-> select * from authorized_users where name='mike' and password='test'

So i gave you a query that works...

For the sanitze part i suggest you read a bit about SQL Injection attacks, eg: http://shiflett.org/articles/security-corner-apr2004
Jazztronik
Forum Newbie
Posts: 3
Joined: Fri Nov 04, 2005 5:34 am

Post by Jazztronik »

This is how I finally got it working, surrounding the variables with single quotes:

Code: Select all

$myQuery = "select * from authorized_users where name='".$userid."' and password='".$password."'";
Thanks tim and TJ for your help!
Post Reply