Page 1 of 1

mysql_num_rows trouble

Posted: Fri Mar 16, 2007 6:49 am
by thunderbox
hey im new to PHP, well kinda new. im not very good, put it that way :)

im having trouble witht his registration script.. it says when i run it "Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in D:\Program Files\xampp\htdocs\stuff\registration_script\registration.php on line 29"

here is the whole code.. sorry about the comments, i got bored when writing it :)

Code: Select all

<?php

// include all the database stuff becuase it is needed

include 'database_connect.php';
include 'config.php';

// Get the variables

$email = $_POST['email'];
$password = $_POST['password'];
	$password = md5($password);
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$country = $_POST['country'];
$age = $_POST['age'];

// change the variables to strip the strings

$password = htmlspecialchars($password);
$firstname = htmlspecialchars($firstname);
$lastname = htmlspecialchars($lastname);
$email = htmlspecialchars($email);
$age = htmlspecialchars($age);

// check for people int he database that are already there (unlikely becuase of the email stuff)

$sql_email_check = mysql_query("SELECT email FROM users	WHERE email='$email'");
$email_check = mysql_num_rows($sql_email_check);   // ------------- LINE 29 -----------

if ($email=="0") {

// This is where we put <span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span> int he database because me are mad cool

$sql = mysql_query("INSERT INTO users (email, password, firstname, lastname, country, age, signup_date) VALUES ('$email','$password','$firstname','$lastname','$country','$age',now())")
	or die (mysql_error());

} else {

// the dumbass tried to create 2 accounts using one email adress... what a tool!

echo 'THE EMAIL ALREADY EXISTS... YOU ARE ONLY ALLOWED 1 ACCOPUNT PER EMAIL... CREATE ANOTHER EMAIL!';
}

// check if the <span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span> went into the database without any problems

if(!$sql) {
	echo 'THE DATABASE IS SCREWED, TRY AGAIN OR EMAIL ADMIN';
} else {

// it went in without problems so this makes the main page of the site turn up in the little thing with the thing!

echo 'welcome the the site! you can now log in!';
include 'main_page.php';
}
?>
thanx for your help :)

Posted: Fri Mar 16, 2007 7:00 am
by volka
try

Code: Select all

// check for people int he database that are already there (unlikely becuase of the email stuff)

$sql_email_check = mysql_query("SELECT email FROM users WHERE email='$email'") or die(mysql_error());
$email_check = mysql_num_rows($sql_email_check);
and take a look at http://de.php.net/security.database.sql-injection

Posted: Fri Mar 16, 2007 7:17 am
by thunderbox
i did that.. i should have thought of it.. it said i hadn't selected the database.. so i did and now it if fixed... except it puts all the "error" messages on the screen before i even try and fill int he form.. ah well ill try figure it out.. thankyou

BTW.. where do i put the mysql_real_escape ??

Posted: Fri Mar 16, 2007 7:32 am
by volka
if e.g. I enter ' and 1='0 in the email field you have something like

Code: Select all

// $email = $_POST['email'];
$email = "' and 1='0";
$query = "SELECT email FROM users WHERE email='$email'";
echo $query, "<br />\n"
prints
SELECT email FROM users WHERE email='' and 1='0'
And no record will ever match this WHERE condition. What was supposed to be data "escaped" and became control code.

Code: Select all

<?php
$mysql = mysql_connect('localhost', 'localuser', 'localpass');
mysql_select_db('test', $mysql);

$email = mysql_real_escape_string("' and 1='0", $mysql);
$query = "SELECT email FROM users WHERE email='$email'";
echo $query, "<br />\n"
?>
SELECT email FROM users WHERE email='\' and 1=\'0'
mysql_real_escape_string marks all characters that might have special meaning in a query as "no special meaning, just the character".
You need to do this for all string parameters that might contain special characters - esp. all user input.

Posted: Sat Mar 17, 2007 8:48 pm
by thunderbox
another question... my whole script goes through without trouble.. producing no mysql errors.. yet it does not insert the information into the database.. ive compared it to a registration script that works and i cant find any differece....

Posted: Sun Mar 18, 2007 5:12 am
by volka

Code: Select all

$query = "INSERT INTO users (email, password, firstname, lastname, country, age, signup_date) VALUES ('$email','$password','$firstname','$lastname','$country','$age',now())";
echo '<div>Debug: ', $query, "</div>\n";
$sql = mysql_query($query) or die (mysql_error());
echo '<div>Debug: # ', mysql_affected_rows(), "</div>\n";