Member Avatar for superyo

i got this error:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in C:\xampp\htdocs\db.php on line 13

my php code is this:

<?php
//Database Info
$dbhost="localhost";
$dbuser="root";
$dbpass="something";
$dbname="somedb";
$table="users";
//Connect to Database
$con=mysql_connect($dbhost, $dbuser, $dbpass);
mysql_select_db($dbname, $con);
$user=$_POST['user'];
$pass=$_POST['pass'];
$query = "SELECT * FROM $table WHERE Username=$user AND Password=$pass";//MySQL Query
$result=mysql_query($query, $con);//Line 13 ERROR
$numresults=mysql_num_rows($result);//Check The Number Of Results
if($numresults == 1)
{
 $handle=fopen("boxsite.html", "a+");
 $contents=fread($handle, filesize("boxsite.html"));
 fclose($handle);
 echo $contents;
 }
 else
 {
$handle=fopen("LoginFail.html", "r");
$contents=fread($handle, filesize("LoginFail.html"));
fclose($handle);
echo $contents;
}
?>

i searched numerous times but i can't find what's wrong with my query. plz help me

  • 3 Contributors
  • 6 Replies
  • 260 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by martin5211

Recommended Answers

All 6 Replies

Member Avatar for martin5211

Enclose strings between quotes:

$query = "SELECT * FROM $table WHERE Username='".$user."' AND Password='".$pass."'";
Member Avatar for rudevils

mmm ithink there's a problem with your query.
try to echo-ing to query like this :

echo $query;

is it read $user and $pass variable ??
if its not read those variable you can change query syntak like this :

$query = "SELECT * FROM $table WHERE Username='$user' AND Password='$pass';
Member Avatar for superyo

Enclose strings between quotes:

$query = "SELECT * FROM $table WHERE Username='".$user."' AND Password='".$pass."'";

Thank you so much that fixed it. I would never understand where the problem was though. I have never seen a syntax like this. Quotes, double quotes and full stops. I know the problem is gone but could you please explain why it is like this? U see i want to learn the correct way by understanding it and not by heart. Thank u in advance:)

Member Avatar for martin5211

Strings, values (except numeric) in SQL must be enclosed into quotes. Quotes delimit the string content, avoiding being confused by the interpreter, due to a string can contain spaces and non-alphanumeric characters.

You started the SQL sentence with double quotes , it's important to end it with the same quotes. After the sentence I use dots to concatenate (join) variables results and add another portion of text (like the a single quote to end the string).

If that code is a login script, I suggest to use mysql_real_escape_string() on the SQL query variables to avoid a common vulnerability called MySQL injection. This function will convert the quotes that can be used on username field so the user cannot rewrite the SQL query.

More details:

http://php.net/mysql_real_escape_string

Member Avatar for superyo

Strings, values (except numeric) in SQL must be enclosed into quotes. Quotes delimit the string content, avoiding being confused by the interpreter, due to a string can contain spaces and non-alphanumeric characters.

You started the SQL sentence with double quotes , it's important to end it with the same quotes. After the sentence I use dots to concatenate (join) variables results and add another portion of text (like the a single quote to end the string).

If that code is a login script, I suggest to use mysql_real_escape_string() on the SQL query variables to avoid a common vulnerability called MySQL injection. This function will convert the quotes that can be used on username field so the user cannot rewrite the SQL query.

More details:

http://php.net/mysql_real_escape_string

Well if i undestood correctly what u said was that the single quotes(' ') u use come from the SQL syntax and are used for strings and the double quotes(" ") with the dots come from PHP and join variables that we want to display with other text. Now because we write a php script and it contains an SQL query we use them together?
Oh and thanx for the tip!

Member Avatar for martin5211

That's correct. There is better methods to show the code in a more readable way e.g. using sprintf() like in PHP.net mysql_real_escape_string() reference, curly braces on variables, doing escaping before SQL query $user=mysql_real_escape_string($_POST['user']); .

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.