mysql_num_rows trouble

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
thunderbox
Forum Newbie
Posts: 13
Joined: Wed Mar 07, 2007 4:06 pm

mysql_num_rows trouble

Post by thunderbox »

hey im new to PHP, well kinda new. im not very good, put it that way :)

im having trouble witht his registration script.. it says when i run it "Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in D:\Program Files\xampp\htdocs\stuff\registration_script\registration.php on line 29"

here is the whole code.. sorry about the comments, i got bored when writing it :)

Code: Select all

<?php

// include all the database stuff becuase it is needed

include 'database_connect.php';
include 'config.php';

// Get the variables

$email = $_POST['email'];
$password = $_POST['password'];
	$password = md5($password);
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$country = $_POST['country'];
$age = $_POST['age'];

// change the variables to strip the strings

$password = htmlspecialchars($password);
$firstname = htmlspecialchars($firstname);
$lastname = htmlspecialchars($lastname);
$email = htmlspecialchars($email);
$age = htmlspecialchars($age);

// check for people int he database that are already there (unlikely becuase of the email stuff)

$sql_email_check = mysql_query("SELECT email FROM users	WHERE email='$email'");
$email_check = mysql_num_rows($sql_email_check);   // ------------- LINE 29 -----------

if ($email=="0") {

// This is where we put <span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span> int he database because me are mad cool

$sql = mysql_query("INSERT INTO users (email, password, firstname, lastname, country, age, signup_date) VALUES ('$email','$password','$firstname','$lastname','$country','$age',now())")
	or die (mysql_error());

} else {

// the dumbass tried to create 2 accounts using one email adress... what a tool!

echo 'THE EMAIL ALREADY EXISTS... YOU ARE ONLY ALLOWED 1 ACCOPUNT PER EMAIL... CREATE ANOTHER EMAIL!';
}

// check if the <span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span> went into the database without any problems

if(!$sql) {
	echo 'THE DATABASE IS SCREWED, TRY AGAIN OR EMAIL ADMIN';
} else {

// it went in without problems so this makes the main page of the site turn up in the little thing with the thing!

echo 'welcome the the site! you can now log in!';
include 'main_page.php';
}
?>
thanx for your help :)
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

try

Code: Select all

// check for people int he database that are already there (unlikely becuase of the email stuff)

$sql_email_check = mysql_query("SELECT email FROM users WHERE email='$email'") or die(mysql_error());
$email_check = mysql_num_rows($sql_email_check);
and take a look at http://de.php.net/security.database.sql-injection
thunderbox
Forum Newbie
Posts: 13
Joined: Wed Mar 07, 2007 4:06 pm

Post by thunderbox »

i did that.. i should have thought of it.. it said i hadn't selected the database.. so i did and now it if fixed... except it puts all the "error" messages on the screen before i even try and fill int he form.. ah well ill try figure it out.. thankyou

BTW.. where do i put the mysql_real_escape ??
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

if e.g. I enter ' and 1='0 in the email field you have something like

Code: Select all

// $email = $_POST['email'];
$email = "' and 1='0";
$query = "SELECT email FROM users WHERE email='$email'";
echo $query, "<br />\n"
prints
SELECT email FROM users WHERE email='' and 1='0'
And no record will ever match this WHERE condition. What was supposed to be data "escaped" and became control code.

Code: Select all

<?php
$mysql = mysql_connect('localhost', 'localuser', 'localpass');
mysql_select_db('test', $mysql);

$email = mysql_real_escape_string("' and 1='0", $mysql);
$query = "SELECT email FROM users WHERE email='$email'";
echo $query, "<br />\n"
?>
SELECT email FROM users WHERE email='\' and 1=\'0'
mysql_real_escape_string marks all characters that might have special meaning in a query as "no special meaning, just the character".
You need to do this for all string parameters that might contain special characters - esp. all user input.
thunderbox
Forum Newbie
Posts: 13
Joined: Wed Mar 07, 2007 4:06 pm

Post by thunderbox »

another question... my whole script goes through without trouble.. producing no mysql errors.. yet it does not insert the information into the database.. ive compared it to a registration script that works and i cant find any differece....
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

Code: Select all

$query = "INSERT INTO users (email, password, firstname, lastname, country, age, signup_date) VALUES ('$email','$password','$firstname','$lastname','$country','$age',now())";
echo '<div>Debug: ', $query, "</div>\n";
$sql = mysql_query($query) or die (mysql_error());
echo '<div>Debug: # ', mysql_affected_rows(), "</div>\n";
Post Reply