Page 1 of 1

explain this warning to me please

Posted: Fri Apr 28, 2006 5:05 pm
by bruceg
trying to set up a form for subscribers to email newsletter

the form action takes you to a page using this code

Code: Select all

<?php

$connection = mysql_connect("localhost", "username", "password");
mysql_select_db("bruceg_mailinglist", $connection);

$rs = mysql_query("SELECT subscriber_id FROM subscribers WHERE email = '".$_REQUEST['email_addr']."'");

if(mysql_num_rows($rs) > 0) {
  echo "That email address is already subscribed.";
}
else {
  mysql_query("INSERT INTO subscribers('f_name', 'l_name', 'email_addr') VALUES('".$_REQUEST['f_name']."', '".$_REQUEST['l_name']."', '".$_REQUEST['email_addr']."')");
	mail($_REQUEST['email_addr'], 'subscribers', 'You\'ve successfully subscribed to the inspired-evolution.com mailing list. If you want to unsubscribe simply go to http://www.inspired-evolution.com/unsub ... form.php.', 'From: webguync@gmail.com');
echo "<h2>Thank you for subscribing !</h2><p> we will be sending out a monthly newsletter related to web design and development using XHTML, CSS, Photoshop, PHP, MySQL, web standards and accessibility .";
}

?>
which is giving me this warning:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /hsphere/local/home/bruceg/inspired-evolution.com/subscribe.php on line 46

and the email address isn't getting entered into the MySQL database.

the database contains a table called subscribers with three rows named email_addr, f_name, l_name in that order.

thanks in advance!

Posted: Fri Apr 28, 2006 5:07 pm
by John Cartwright
replace your query with

Code: Select all

$rs = mysql_query("SELECT subscriber_id FROM subscribers WHERE email = '".$_REQUEST['email_addr']."'") or die(mysql_error());
for an idea why your query failed..

secondly, you do not want to have any user variables ever put directly into the query because it opens it up to SQL injection..

at minimum pass $_REQUEST['email_addr'] through mysql_real_escape_string()

Posted: Fri Apr 28, 2006 5:26 pm
by bruceg
thanks for the reply.

the first part is easy enough. The second part dealing with the SQL injection, I followed the link to information, but am not exactly sure what I would need to do to prevent the SQL injection with my query.

thx,

Posted: Fri Apr 28, 2006 7:05 pm
by Ollie Saunders
but am not exactly sure what I would need to do to prevent the SQL injection with my query.
Where ever you use input in constructing your query you should escape it.

Code: Select all

SELECT subscriber_id FROM subscribers WHERE email = '".$_REQUEST['email_addr']."'"
$_REQUEST['email_addr'] is input so you should escape it with mysql_real_escape_string() first. Otherwise a hacker could set the contents of that variable to something that will allow him to perform arbitary queries against your database