Page 1 of 1

A Problem - Mysql_numrows() function

Posted: Sat May 09, 2009 8:12 am
by mintsmike
Can I ask what is wrong with the following code. I have studied it to try and find any errors in my code but there were none. On my page it says 'Warning: mysql_numrows(): supplied argument is not a valid MySQL result resource in /home/casiodev/public_html/Downloads/downModule.php on line 36'

Code: Select all

if(!empty($_GET["calc"]) && !empty($_GET["type"]) && empty($_GET['id'])) {
    $calc = $_GET["calc"];
    $type = $_GET["type"];
    
    mysql_connect("localhost","casiodev_admin","********");
    mysql_select_db("casiodev_web");
    $query = "SELECT * FROM downloads WHERE 'calc' = %$calc% AND 'type'=%$type% ";
    $result = mysql_query($query);
    $num = mysql_numrows($result);    // I have isolated the problem to this line
    $i=0;
    $top="135px";
    
    echo "<div class=\"stdDiv\" style=\"left:11%;top:$top;height:300px;width:88%;\">";
    echo "Calc: $calc <br />Type: $type";
    while( $i < $num ) {
        $name=mysql_result($result, $i, "name");
        $description=mysql_result($result, $i, "description");
        $downURL=mysql_result(result, $i, "downloads");
        $author=mysql_result($result, $i, "uploader");
        echo "<br />New Record<br />Name: $name<br />";
        /*echo "Name: $name <br />";
        echo "Description: $description <br />";
        echo "Download URL: $downURL <br />";
        echo "Program Author: $author <br />";
        */$i++;
    }
    echo "</div>";
}  

Thanks in advance for your help

Regards

Re: A Problem - Mysql_numrows() function

Posted: Sat May 09, 2009 8:21 am
by mickd
Try using mysql_num_rows instead (with the _), though if the other one is equivalent, that won't solve the problem.

Chances are there's an error in your sql string. Try using this instead:

Code: Select all

 
$query = "SELECT * FROM downloads WHERE calc='$calc' AND type='$type'";
 

Re: A Problem - Mysql_numrows() function

Posted: Sat May 09, 2009 8:22 am
by jazz090
change line 7 to:

Code: Select all

$query = "SELECT * FROM downloads WHERE calc = ".$calc." AND type=".$type;

Re: A Problem - Mysql_numrows() function

Posted: Sat May 09, 2009 8:42 am
by kaisellgren
Your script is vulnerable to SQLi. Make sure you implement proper escaping.
jazz090 wrote:

Code: Select all

$query = "SELECT * FROM downloads WHERE calc = ".$calc." AND type=".$type;
That code is not secure even if you escape those values, because they need to be enclosed within quotes to separate the values from the SQL structure.

Re: A Problem - Mysql_numrows() function

Posted: Sat May 09, 2009 8:46 am
by jazz090
yes i know its prone to attacks, i was just writing it the same way that mintsmike did