PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Moderator: General Moderators
mintsmike
Forum Newbie
Posts: 3 Joined: Fri Mar 20, 2009 2:23 am
Post
by mintsmike » Sat May 09, 2009 8:12 am
Can I ask what is wrong with the following code. I have studied it to try and find any errors in my code but there were none. On my page it says 'Warning: mysql_numrows(): supplied argument is not a valid MySQL result resource in /home/casiodev/public_html/Downloads/downModule.php on line 36'
Code: Select all
if(!empty($_GET["calc"]) && !empty($_GET["type"]) && empty($_GET['id'])) {
$calc = $_GET["calc"];
$type = $_GET["type"];
mysql_connect("localhost","casiodev_admin","********");
mysql_select_db("casiodev_web");
$query = "SELECT * FROM downloads WHERE 'calc' = %$calc% AND 'type'=%$type% ";
$result = mysql_query($query);
$num = mysql_numrows($result); // I have isolated the problem to this line
$i=0;
$top="135px";
echo "<div class=\"stdDiv\" style=\"left:11%;top:$top;height:300px;width:88%;\">";
echo "Calc: $calc <br />Type: $type";
while( $i < $num ) {
$name=mysql_result($result, $i, "name");
$description=mysql_result($result, $i, "description");
$downURL=mysql_result(result, $i, "downloads");
$author=mysql_result($result, $i, "uploader");
echo "<br />New Record<br />Name: $name<br />";
/*echo "Name: $name <br />";
echo "Description: $description <br />";
echo "Download URL: $downURL <br />";
echo "Program Author: $author <br />";
*/$i++;
}
echo "</div>";
}
Thanks in advance for your help
Regards
Last edited by
Benjamin on Sat May 09, 2009 10:05 am, edited 1 time in total.
Reason: Changed code type from text to php.
mickd
Forum Contributor
Posts: 397 Joined: Tue Jun 21, 2005 9:05 am
Location: Australia
Post
by mickd » Sat May 09, 2009 8:21 am
Try using mysql_num_rows instead (with the _), though if the other one is equivalent, that won't solve the problem.
Chances are there's an error in your sql string. Try using this instead:
Code: Select all
$query = "SELECT * FROM downloads WHERE calc='$calc' AND type='$type'";
jazz090
Forum Contributor
Posts: 176 Joined: Sun Apr 12, 2009 3:29 pm
Location: England
Post
by jazz090 » Sat May 09, 2009 8:22 am
change line 7 to:
Code: Select all
$query = "SELECT * FROM downloads WHERE calc = ".$calc." AND type=".$type;
kaisellgren
DevNet Resident
Posts: 1675 Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.
Post
by kaisellgren » Sat May 09, 2009 8:42 am
Your script is vulnerable to SQLi. Make sure you implement proper escaping.
jazz090 wrote: Code: Select all
$query = "SELECT * FROM downloads WHERE calc = ".$calc." AND type=".$type;
That code is not secure even if you escape those values, because they need to be enclosed within quotes to separate the values from the SQL structure.
jazz090
Forum Contributor
Posts: 176 Joined: Sun Apr 12, 2009 3:29 pm
Location: England
Post
by jazz090 » Sat May 09, 2009 8:46 am
yes i know its prone to attacks, i was just writing it the same way that mintsmike did