N00b Stuck

[vanyok]

Hey everyone !I've just started learning PhP. Opened the book a few days ago for teh first time I gotta tell you, I love this language !!I need some help please.. I have a simple DATA input and verification script that I cannot get to work. Everythign seems right but when I run it I get: " Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource "Basiacally what I'm trying to do in this statement is to have the user enter the name and then verify that the info doesnt exist in the Database already.Thank you <?php//declaring registration fields$tfname=$_POST['TeacherFName'];$tlname=$_POST['TeacherLName'];$subject=$_POST['Subject'];//connecting to the database$db=mysql_connect("server","id","password");mysql_select_db("dbname",$db);//Verifying there are no duplicate names in the DB$result=mysql_query("SELECT * FROM teachers_info WHERE fname={$fname}",$db); $num=mysql_num_rows($result) or die(mysql_error());echo $num;if ($num!=0){echo"<p> Sorry, this first name already exist in the database</p>";}else// Inputing registration into into the DB, in teachers_info table{$sql="INSERT INTO $teachers VALUES('$tfname','$tlname','','','$subject')";$result=mysql_query($sql,$db);}?>Thank you in advance !

[justsomeguy]

There was an error with the SQL query, and so mysql_query did not return a result set, which triggered the error message you see from mysql_num_rows.It looks like there are 2 problems. The first one is that you save the first name in a variable called $tfname, and then later try to use $fname in the query. The second problem is that the database field is probably a text field, so you need quotes around the variable. Also, you will want to escape the string to prevent a SQL injection attack. Whenever you insert data in a SQL query that you got from $_GET, $_POST, $_COOKIE, or $_SESSION, always use mysql_real_escape_string to prevent a SQL injection attack. So, the query should look like this:$result=mysql_query("SELECT * FROM teachers_info WHERE fname='" . mysql_real_escape_string($tfname) . "'",$db);Those quotes look confusing, but they are laid out like this: fname=<single><double> . mysql... . <double><single><double>Make sure to use mysql_real_escape_string in your insert query later on as well.Ask if you have any questions.

[vanyok]

Thank you very much for your response ( changed it to : $result=mysql_query("SELECT * FROM teachers_info WHERE fname='". mysql_real_escape_string($tfname)."'",$db); ) Hmmm.. well the error message is gone but now I get just a blank screen What could be causing that ? I suppose to get the ammount of rows and then the info suppose to be added to the SQL DB. hmmm

[justsomeguy]

Well, it doesn't look like it is outputting anything if the operation succeeds. But if you intentionally enter a duplicate and don't see your echod statement, it might be the case that you have error reporting turned off (even though you did get that warning) and are getting an error. Try doing this:echo ini_get("display_errors"); and see if it outputs a 1 or a 0. If it is a 0, then you might be getting an error and not seeing the message. If that is the case, you can change that at the top of your page to see the error message:ini_set("display_errors", "1");

[vanyok]

Hmmmm.. the good part is that I'm learning a lot of new stuff :)The bad part is that it's still doesnt work and I can't figure out why.. they code seems to be correct.

echo $num;

Shoulnt this be outputting the amount of rows in that table ?Also, It's not adding any info to the database. I really appreciate your time looking at this Justsomeguy and others :)ps:echo ini_get("display_errors"); - returned 1ini_set("display_errors", "1"); - returned nothing

[justsomeguy]

Right, it should be displaying something. Is that your complete code? Can you paste the updated version?

[vanyok]

<html><head>Registration</head><title>Registration Page</title><body><?phpini_set("display_errors", "1");//declaring registration fields$tfname=$_POST['TeacherFName'];$tlname=$_POST['TeacherLName'];$subject=$_POST['Subject'];//connecting to the database$db=mysql_connect("server","id","pw");mysql_select_db("dbname",$db);//Verifying there are no duplicate names in the DB$result=mysql_query("SELECT * FROM teachers_info WHERE fname='". mysql_real_escape_string($tfname)."'",$db); $num=mysql_num_rows($result) or die(mysql_error());echo $num;if ($num!=0){echo"<p> Sorry, this first name already exist in the database</p>";}else// Inputing registration info into the DB, in teachers_info table{$sql="INSERT INTO $teachers VALUES('$tfname','$tlname','','','$subject')";$result=mysql_query($sql,$db);echo "Thank you $tfname";}?></body></html>If you want to check out HTML code of the actaul page with forms.. here

[vanyok]

/bump

[skym]

I don't see where $teachers is defined.Also use mysql_error() for the SELECT query too.

[justsomeguy]

That's probably a typo, it should probably beINSERT INTO teachersinstead of INSERT INTO $teachers

[vanyok]

Hmmmm.. I could've sworn that I had table name assigned to $teacherOnce again, thank you. I'll try it when get back home.. I bet that was it.

[reportingsjr]

I have one question:Dont people realise, that if you dont have the connect ina variable you dont need to call the variable inside queries and such? I mean, you could get hacked easier but that should all be solved with things like regex.

[justsomeguy]

I'm not following what you're saying. I think you're mentioning that you can do this:mysql_connect(...);mysql_select_db("...");mysql_query($sql);Without using and saving the return value from mysql_connect, which works fine. As far as I'm concerned, you would only store the connection if you are using multiple connections on the same page and need to differentiate.I'm not sure what you're saying about getting hacked and using regex though.

[reportingsjr]

ohhhhh, I see.Well I just thought that if someone tried to hack you, they wouldnt know what variable to use for connection.. otherwise they could just do it the way I was mentioning, thats why I mentioned using regex to replace all < and >

[justsomeguy]

If someone can run PHP on your server at all, then it really doesn't matter which variable you are using for a connection (if any), because you don't even need one to send a query to the database.It's always a good idea to replace < and >, but regex will be much slower at it then using str_replace.