explain this warning to me please

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
bruceg
Forum Contributor
Posts: 174
Joined: Wed Mar 16, 2005 11:07 am
Location: Morrisville, NC
Contact:

explain this warning to me please

Post by bruceg »

trying to set up a form for subscribers to email newsletter

the form action takes you to a page using this code

Code: Select all

<?php

$connection = mysql_connect("localhost", "username", "password");
mysql_select_db("bruceg_mailinglist", $connection);

$rs = mysql_query("SELECT subscriber_id FROM subscribers WHERE email = '".$_REQUEST['email_addr']."'");

if(mysql_num_rows($rs) > 0) {
  echo "That email address is already subscribed.";
}
else {
  mysql_query("INSERT INTO subscribers('f_name', 'l_name', 'email_addr') VALUES('".$_REQUEST['f_name']."', '".$_REQUEST['l_name']."', '".$_REQUEST['email_addr']."')");
	mail($_REQUEST['email_addr'], 'subscribers', 'You\'ve successfully subscribed to the inspired-evolution.com mailing list. If you want to unsubscribe simply go to http://www.inspired-evolution.com/unsub ... form.php.', 'From: webguync@gmail.com');
echo "<h2>Thank you for subscribing !</h2><p> we will be sending out a monthly newsletter related to web design and development using XHTML, CSS, Photoshop, PHP, MySQL, web standards and accessibility .";
}

?>
which is giving me this warning:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /hsphere/local/home/bruceg/inspired-evolution.com/subscribe.php on line 46

and the email address isn't getting entered into the MySQL database.

the database contains a table called subscribers with three rows named email_addr, f_name, l_name in that order.

thanks in advance!
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

replace your query with

Code: Select all

$rs = mysql_query("SELECT subscriber_id FROM subscribers WHERE email = '".$_REQUEST['email_addr']."'") or die(mysql_error());
for an idea why your query failed..

secondly, you do not want to have any user variables ever put directly into the query because it opens it up to SQL injection..

at minimum pass $_REQUEST['email_addr'] through mysql_real_escape_string()
bruceg
Forum Contributor
Posts: 174
Joined: Wed Mar 16, 2005 11:07 am
Location: Morrisville, NC
Contact:

Post by bruceg »

thanks for the reply.

the first part is easy enough. The second part dealing with the SQL injection, I followed the link to information, but am not exactly sure what I would need to do to prevent the SQL injection with my query.

thx,
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

but am not exactly sure what I would need to do to prevent the SQL injection with my query.
Where ever you use input in constructing your query you should escape it.

Code: Select all

SELECT subscriber_id FROM subscribers WHERE email = '".$_REQUEST['email_addr']."'"
$_REQUEST['email_addr'] is input so you should escape it with mysql_real_escape_string() first. Otherwise a hacker could set the contents of that variable to something that will allow him to perform arbitary queries against your database
Post Reply