Guest borgen44 Posted August 14, 2009 Share Posted August 14, 2009 Hello,, i got a problem whit mysql_num_rows in my code, it wont count the rows.I get this Error: Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in C:\xampp\htdocs\www\TESTS\test login\class.php on line 17My total code of the file is:<?phprequire("config.php");$con = mysql_connect(DB_HOST, DB_USER, DB_PASS);if (!$con){ die('Could not connect: ' . mysql_error());}if ($_GET["function"] == "LogIn"){ mysql_select_db(DB_NAME, $con) or die('Could not find Database: ' . mysql_error()); $username=$_POST['username']; $password=md5($_POST['password']); $login_result = mysql_query("SELECT * FROM USER_DB_TABLE WHERE username='$username' and password='$password'", $con); $count = mysql_num_rows($login_result); if($count == 1){ $_SESSION['username'] = $login_result['username']; $_SESSION['password'] = $login_result['password']; $_SESSION['rank'] = $login_result['rank']; header("location:index.php"); }else { echo "Wrong Username or Password"; } }else{header("location:login.php");}mysql_close($con);?> Link to comment Share on other sites More sharing options...
Ingolme Posted August 14, 2009 Share Posted August 14, 2009 It means that something in your query is wrong. Maybe there's no 'username' or 'password' field, or the strings have invalid characters such as apostrphes in them.Because you're not sanitizing your variables, people could use your application to hack the databaseecho the query and see what it shows: echo "SELECT * FROM USER_DB_TABLE WHERE username='$username' and password='$password'" Link to comment Share on other sites More sharing options...
chibineku Posted August 14, 2009 Share Posted August 14, 2009 Speaking of sanitizing, is using htmlspecialchars($string) enough? When I read the variables, I have learned (from my book) to also stripslashes()...is the combination enough (in conjunction with some kind of regular expression to match valid e-mail addresses, etc.)? Link to comment Share on other sites More sharing options...
Ingolme Posted August 15, 2009 Share Posted August 15, 2009 Speaking of sanitizing, is using htmlspecialchars($string) enough? When I read the variables, I have learned (from my book) to also stripslashes()...is the combination enough (in conjunction with some kind of regular expression to match valid e-mail addresses, etc.)?You only need htmlspecialchars() if you're going to display the information on an HTML page.You would not strip slashes, you'd actually have to add them if you want the query to be safe.But rather than addslashes(), use mysql_real_escape_string(). It is safer because it checks the database character encoding. Don't use them both at the same time, though, because then you'll get extra slashes in the database. Link to comment Share on other sites More sharing options...
chibineku Posted August 15, 2009 Share Posted August 15, 2009 I will likely be outputting the information in an HTML page at some point. So, use either htmlspecialchars() or mysqli_real_escape_string() OR use either addslashes() or mysqli_real_escape_string()? I think you mean the latter, but it's worth checking. Link to comment Share on other sites More sharing options...
Ingolme Posted August 15, 2009 Share Posted August 15, 2009 I will likely be outputting the information in an HTML page at some point. So, use either htmlspecialchars() or mysqli_real_escape_string() OR use either addslashes() or mysqli_real_escape_string()? I think you mean the latter, but it's worth checking.The ones you don't use together are addslashes() and mysql_real_escape_string(). This is why:Given this string"Example sentence testing PHP's functions" Passed through addslashes(): \"Example sentence testing PHP\'s functions\" And then passed through mysql_real_escape_string(): \\\"Example sentence testing PHP\\\'s functions\\\" Therefore, you should only use one of the functions. And since the text is being prepared for a database, mysql_real_escape_string is more appropriate.htmlspecialchars is recommended as long as you're going to put the database information on an HTML page, so that visitors can't add extra HTML to your page. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.