Why getting always positive value for result on mysql?

Question

<?php

$uname=$_POST['uname'];
$pwd=$_POST['pwd'];
$result="";
echo($uname.'</br>');
echo($pwd);
$con=mysql_connect("localhost","root","");
mysql_select_db("user_login_test",$con);
$sql="SELECT * FROM userlogin WHERE username='".$uname."'";
if($result=mysql_query($sql))
{
echo($result);
echo("Extracted<br>");
}
else
{
echo("NOT Extracted");
}
while($row = mysql_fetch_array($result))
{
    echo $row['username'] . " " . $row['password'];
    echo "<br />";
}
?>

I am doing above code for extracting values. If Username matches it show the value but if I give wrong input text it also shows "Extracted" with no value why? Please help me???

**Your code is vulnerable to SQL injection.** You *really* should be using [prepared statements](http://stackoverflow.com/a/60496/623041), into which you pass your variables as parameters that do not get evaluated for SQL. If you don't know what I'm talking about, or how to fix it, read the story of [Bobby Tables](http://stackoverflow.com/questions/332365/xkcd-sql-injection-please-explain). — eggyal, Aug 25 '12 at 11:59
Also, as stated in [the introduction](http://www.php.net/manual/en/intro.mysql.php) to the PHP manual chapter on the `mysql_*` functions: *This extension is not recommended for writing new code. Instead, either the [mysqli](http://www.php.net/manual/en/book.mysqli.php) or [PDO_MySQL](http://www.php.net/manual/en/ref.pdo-mysql.php) extension should be used. See also the [MySQL API Overview](http://www.php.net/manual/en/mysqlinfo.api.choosing.php) for further help while choosing a MySQL API.* — eggyal, Aug 25 '12 at 12:00
Please read more about SQL injections: http://stackoverflow.com/questions/11939226/sql-injections-and-adodb-library-general-php-website-security-with-examples/11941396 — Ilia Ross, Sep 08 '12 at 17:14

score 2 · Answer 1 · answered Aug 25 '12 at 12:03

As explained in the PHP manual entry for the mysql_query() function:

For SELECT, SHOW, DESCRIBE, EXPLAIN and other statements returning resultset, mysql_query() returns a resource on success, or FALSE on error.

Your $result variable therefore holds a MySQL resource irrespective of whether there is a match on the username column: testing such a resource using if will always evaluate to TRUE (unless the query itself threw an error).

The manual goes on to explain:

The returned result resource should be passed to mysql_fetch_array(), and other functions for dealing with result tables, to access the returned data.

Use mysql_num_rows() to find out how many rows were returned for a SELECT statement or mysql_affected_rows() to find out how many rows were affected by a DELETE, INSERT, REPLACE, or UPDATE statement.

In your case, you could test using mysql_num_rows() to determine whether any records were returned by the query (i.e. whether the WHERE condition was satisfied).

So how i can check if value is extracted or not?? I want to show. — user1611964, Aug 25 '12 at 12:08
@user1611964: As indicated above, you can use `if (mysql_num_rows($result)) ...`. — eggyal, Aug 25 '12 at 12:08

score 0 · Answer 2 · answered Aug 25 '12 at 12:08

0

You have write wrong logic for extract username. I have modify your code check it.

$sql="SELECT * FROM userlogin WHERE username='".$uname."'";
$result=mysql_query($sql)
if(mysql_num_rows($result)>0)
{
echo("Extracted<br>");
}
else
{
echo("NOT Extracted");
}

answered Aug 25 '12 at 12:08

Hkachhia

4,463
6
41
76

If you got the answer, could you please accept Harry's answer, just click the check mark (just look a little bit higher, right under voting) or read more here: http://meta.stackexchange.com/a/5235/195067 – Ilia Ross Sep 08 '12 at 17:19

Why getting always positive value for result on mysql?

2 Answers2