I am trying to see if there is a match from a form to my database. here is my php code:
<?php
$host="localhost"; // Host name
$username="****"; // Mysql username
$password="*****"; // Mysql password
$db_name="*****"; // Database name
$tbl_name="public"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
$door=$_POST['door'];
$postcode=$_POST['postcode'];
// To protect MySQL injection (more detail about MySQL injection)
$door = stripslashes($door);
$postcode = stripslashes($postcode);
$door = mysql_real_escape_string($door);
$postcode = mysql_real_escape_string($postcode);
$sql="SELECT * FROM $tbl_name WHERE door ='$door' AND postcode='$postcode' AND active = 'not_activated' AND ref = '". $_SESSION['ref']."'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
if($count==1){
header("location:securityquestion.php");
}
?>
the error message i am getting is as follows:
Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in /home/jahedhus/public_html/system/checkdetails.php on line 36
line 36 is $count=mysql_num_rows($result);
what am i doing wrong here?
Because, just like many, many others here, the code blindly assumes that the query succeeded and everything is fine. Check for errors after each operation. Most of the functions return false when they fail.
Because your query failed.
php.net/mysql-query: "For SELECT, SHOW, DESCRIBE, EXPLAIN and other statements returning resultset, mysql_query() returns a resource on success, or FALSE on error."
Try this:
$result=mysql_query($sql) or die(mysql_error());
You need to do two things:
Find out what the MySQL error is, as already suggested
$result=mysql_query($sql) or die(mysql_error());
You need to sanitize everything that goes into the query. Although you sanitize $door and $postcode, you don't sanitize $_SESSION['ref']. You should and run it through mysql_real_escape_string(). I don't know what you are storing in it, but perhaps that's where the code is breaking because of unescaped characters?
In theory I guess $_SESSION is stored server side, but personally I still wouldn't trust it, and I'd escape everything that goes into a MySQL query.
I think answer lies in the curly braces:
$sql="SELECT * FROM $tbl_name WHERE door ='{$door}' AND postcode='{$postcode}' AND active = 'not_activated' AND ref = '". $_SESSION['ref']."'";
$result=mysql_query($sql);
Related
Anyone can help me pls!
This code supposed to compare between the passkey from the confirmation email and the confirm_code from the database and if the two value are identical it update "verified" row from null to 1.
Thank you and sorry for my english :/
//Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect to server");
mysql_select_db("$db_name")or die("cannot select DB");
$passkey=$_GET['passkey'];
$confirm_code=$_GET['confirm_code'];
if($confirm_code == '$passkey';){
$sql1="UPDATE $tbl_name SET verified='1' WHERE $confirm_code ='$passkey'";
echo "Confirmation code verified!!!";
}
else {
echo "Wrong Confirmation code";
}
?>
Change if($confirm_code == '$passkey';){ to if($confirm_code == "$passkey"){
Also notice the double quotes around $passkey.
Check your syntax first, maybe this is the problem here :
if($confirm_code == "$passkey"){
Are you not supposed to retrieve first the passkey from database then compare it with the one GET from URL ? Here you use GET for both of them.
You have an incorrect SQL statement
$sql1="UPDATE $tbl_name SET verified='1' WHERE $confirm_code ='$passkey'";
That $confirm_code should be confirm_codeand should correspond to the column in your table having the stored key. So you will be simply updating the record where the passed key is equal to the stored key.
i know this is a beginner's question .I am working on a bloodbank database project with html,php and mysql. Here as an administrator,i am trying to send messages to users.At first i am trying to see if the user with the username is present in the database.if he is present i am inserting the username and messages into the table called usermessages But i am not able to insert the data.i am getting the message "message sent successfully",but in reality it is not getting updated in the database.So here is my code,i can assure all that no spelling mistake is present in database or in phpcode.
<?php
session_start();
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="bloodbank"; // Database name
$tbl_name="users"; // Table name
$tblname="usermessages";
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// username and messages is sent from form
$username=$_POST['username'];
$sql="SELECT * FROM $tbl_name WHERE username='$username'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
if($count==1)
{
$mysql="INSERT INTO tblname(username, messages)
VALUES
('$_POST[username]','$_POST[messages]')";
echo "Message Sent Successfully";
}
else
{
echo "No user with that username found in the database";
}
?>
Try to execute the query
$mysql="INSERT INTO $tblname(username, messages)
VALUES ('$_POST[username]','$_POST[messages]')";
$return = mysql_query($my_sql);
echo "Message Sent Successfully";
You just forgotted to execute this insert query
And my advice is dont use mysql_* functions as they are depricated,use either mysqli_* functions or PDO Statements,and while you are playing with the post variables try to escape them like
mysql_real_escape_string($_POST['messages']);
Your query is good but you haven't executed it. Use mysql_query to execute your query.
Second please be careful about sql injection. Your code is shouting that come and hack me.
http://jsfiddle.net/Fd9wx/
I made this to help solve my problem
so I have some php code and html code that should send sql Query's to the database upon the html table I have created like to set up new databases but then I fill out my form and click run it does not want to work for me. I did some google research and got nothing back now before you say "use PDO and This is no longer supported" PDO is hard for me to use because I dont understand some of it I will use it later on but not now, also I did make this script here from hand so dont say "contact script dev" if some one could point me in right direction to solving my problem or just way to make my sql errors show in my script? like the line what to remove and all
here is main part of my script
$tablename=$_POST['tablename'];
$value=$_POST['value'];
$type=$_POST['type'];
$length=$_POST['length'];
$collation=$_POST['collation'];
$attributes=$_POST['attributes'];
$null=$_POST['null'];
$extra=$_POST['extra'];
// Insert data into mysql
$sql="CREATE TABLE `a7972613_db`.`$tablename` (
`field1` $type( $length ) $null $extra
) ENGINE = MYISAM";
$result=mysql_query($sql);
// if successfully insert data into database, displays message "Successful".
if($result){
echo "Successful";
}
else {
echo "Please Go Back And Check Your Errors!";
}
thats my main part
The problem with your code is you have not selected the database.
$host = "xxxxx";
$database = "xxxxx";
$user = "xxxx";
$password = "xxxxx";
// Connect to server and select database.
mysql_connect("$host", "$user", "$password")or die("cannot connect");
Use below code for selecting database
// Connect to server and select database.
$conn = mysql_connect("$host", "$user", "$password")or die("cannot connect");
mysql_select_db($database,$conn);
and another problem is when your query fails, you have hardcoded the error,but use below code for checking where is the problem in your query
$result=mysql_query($sql) or die(mysql_error());
Change your query to
$result = mysql_query($sql) or die("Error with $sql: " . mysql_error());
with mysql_error(), you will see what your problem is.
You can dump your $sql string in order to see, whether it is correct
echo $sql;
Hi
I have two mysql problems
a) I'm confused on why this code won't add data to my database:
$con = mysql_connect("localhost","username","password");
mysql_select_db("database", $con);
$sql="INSERT INTO Table ('adder', 'username')
VALUES('$myusername','$username1')";
mysql_query( $sql, $con ) or trigger_error( mysql_error( $con ), E_USER_ERROR );
here is the full error: "you have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Add (username, name, number) VALUES('56', 'Name', 'number')' at line 1"
and before you ask, yes the data is there
b) I'm having problems with mysql_fetch_array
This is the code:
mysql_connect("$host", "$mysqlusername", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
$sql = "SELECT * FROM Add WHERE adder=\"$username\"";
$result=mysql_query($sql);
$row=mysql_fetch_array($result);
if (empty($row)) {
echo "$username hasn\'t added anyone";
}
else {
while($row = mysql_fetch_array($result)){
echo "<".$row[username]."";
}
}
The error here is:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in....
And yes the data is there on the database aswell..
Any ideas??
Thanks for the help :)
Niall
a) You really should have included the complete error, but I'm fairly certain the syntax error is that you are attempting to put the names of columns in single quotes, which is not allowed. You should instead use backticks (the key to the left of "1" on your keyboard):
$sql="INSERT INTO Table (`adder`, `username`)
VALUES('$myusername','$username1')";
b) Again, please include the full error. That warning occurs when the mysql_query function fails, since $result is just the value false instead of a MySQL resource. What is the value of $username when you get that error? It's likely something is causing the query to be invalid.
You should have said "INSERT INTO TABLE `Add`(`adder`, `username`)"
and Add should be enclosed in backticks (`) because it could be a reserved word, and you shouldn't name a table like that.
I have the below code that i am wanting to into certain files so that when someone visits this "certain" file they get banned if they are not allready. but for some reason it is not adding new visitors into the database, if i add a user manually it works fine and echo's Banned! but otherwise it just echo's the $sql query but does not actually do it.
<?php
$host=""; // Host name
$username=""; // Mysql username
$password=""; // Mysql password
$db_name="banlist"; // Database name
$tbl_name="list"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// Define $myusername and $mypassword
$ip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
$sql="SELECT * FROM $tbl_name WHERE ip='$ip'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if ($count==0){
$sql="INSERT INTO $tbl_name (`id` ,`ip`) VALUES (NULL , $ip)";
mysql_query($sql);
echo $sql;
//header("location:index.html");
} else {
// Register $myusername, $mypassword and redirect to file "login_success.php"
//header("location:index.html");
echo "banned!";
exit();
}
?>
Have you double-checked that your MySQL account has the INSERT privilege?
You'll also find that things go more smoothly if you always check the return value of mysql_query(). While you're developing, you could change these lines (from the end of your snippet):
mysql_query($sql);
echo $sql;
... to this:
$result = mysql_query($sql);
if($result === FALSE) {
echo 'INSERT failed with this error: '.mysql_error();
} else {
echo 'INSERT succeeded';
}
Also if you're not yet familiar with SQL injection, you'll want to become familiar with it. Your code is currently vulnerable to this kind of attack, because it doesn't filter input (the HTTP headers where you're looking for an IP address) and it doesn't escape output (the variable portion of your dynamically-constructed SQL queries).
just few remarks
$sql="SELECT * FROM $tbl_name WHERE ip='$ip'";
$result=mysql_query($sql);
wouldn't be better to do a
$sql="SELECT count(*) FROM $tbl_name WHERE ip='$ip'";
$result=mysql_query($sql);
since you don't use that data.
$sql="INSERT INTO $tbl_name (`id` ,`ip`) VALUES (NULL , '$ip')";
mysql_query($sql);
if your id is an auto increment you don't have to include it
$sql="INSERT INTO $tbl_name (`ip`) VALUES ('$ip')";
mysql_query($sql);
You should quote $ip since it's probably a varchar in your table.
Since an ip address should be a sort of unique identifier you have better to use the IP as primary key.
last point checking for results of mysql_query would be a good pratice, like there
$sql="INSERT INTO $tbl_name (`ip`) VALUES ($ip)";
$ret = mysql_query($sql);
if (!$ret) {
die('Invalid query: ' . mysql_error());
}
I think it would give you valuable information about what is happening. in that case it would probably say you have an error near the IP address (because of the missing quotes).