Storing data from database [mysql_num_rows]

Question

So I have this code to pass items from database to my order table. When I'm echoing the session. The session variable contains something so there's no problem with that. But when I echo those variables under numrows, it only shows nothing. Is there something wrong?

<?php
error_reporting(E_ALL ^ E_NOTICE);
session_start();
require("connect.php");
$UserID = $_SESSION['CustNum'];
$UserN = $_SESSION['UserName'];

        $ProdGTotal = $_SESSION['ProdGTotal'];

        $queryord = mysql_query("SELECT * FROM customer WHERE UserName = '$UserN'");
        $numrows = mysql_num_rows($queryord);

        if(numrows == 1){
            $row = mysql_fetch_assoc($queryord)or die ('Unable to run query:'.mysql_error()); // fetch associated: get function from a query for a database
            $dbstreet = $row['Street']; 
            $dhousenum = $row['HouseNum']; 
            $dbcnum = $row['CelNum']; 
            $dbarea = $row['Area'];
            $dbbuilding = $row['Building'];
            $dbcity = $row['City'];
            $dbpnum = $row['PhoneNum'];
            $dbfname = $row['FName'];
            $dblname = $row['LName'];

        }
        else
        die(mysql_error());

        $query4=mysql_query("INSERT INTO orderdetails VALUES ('', '$UserID', Now(), '$dbhousenum', '$dbstreet', '$dbarea', '$dbbuilding', '$dbcity',     '$dbfname', '$dblname', '$dbcnum', '$dbpnum', '$ProdGTotal')",$connect);

            if ($query4){

            header("location:index.php");

            }
            else
        die(mysql_error());


?>

STOP WORKING ON THIS CODE. You are vulnerable to [SQL injection attacks](http://bobby-tables.com). Learn how to avoid this before you go any further. — Marc B, Oct 14 '12 at 03:30

score 0 · Answer 1 · answered Oct 14 '12 at 03:30

0

if(numrows == 1) => if($numrows == 1){

answered Oct 14 '12 at 03:30

score 0 · Answer 2 · edited May 23 '17 at 12:12

First you type

if(numrows == 1){

instead variable:

if($numrows == 1){

Instead for checking user you can for:

$queryord = mysql_query("SELECT * FROM customer WHERE UserName = '$UserN'");    
$numrows = mysql_num_rows($queryord);

use as:

$queryord = mysql_query("SELECT * FROM customer WHERE UserName = '$UserN' LIMIT 1");    
$numrows = mysql_num_rows($queryord);

because you want fetch one user, but you failed because you aren't escaped:

$UserN = mysql_real_escape_string($UserN);
$queryord = mysql_query("SELECT * FROM customer WHERE UserName = '$UserN' LIMIT 1");    
$numrows = mysql_num_rows($queryord);

You should write your code in a better way and see examples of best practices on stackoverflow how to fetching data. See best practices to stop SQL injection and vulnerabilities.

Examples are shown on this site: How can I prevent SQL injection in PHP?

Storing data from database [mysql_num_rows]

2 Answers2