-2

I need to test if my query returns 1 or 0 (so if there is a key matching the one entered)

Here's my code :

 $key=$_POST['key'];
 $queryKey = mysql_query("SELECT COUNT(*) FROM `smf_invites` WHERE `key` = '$key'");
 $query = mysql_num_rows($queryKey);

 if( !empty ($key))
 {
    echo 'You have entered a key';
    if (!empty ($query))
    {
        echo 'A key is corresponding';
    }

 }

EDIT : $connect = new mysqli("XXX","XXX","XXX","smf");

if (mysqli_connect_errno()) 
{
    printf("Connection failed : %s\n", mysqli_connect_error());
    exit();
}
else
{
    echo 'Connected to database';
}
$key=$_POST['key'];
if( !empty ($key))
{
 echo 'You have entered a key';
 $key = mysqli_real_escape_string($_POST['key']);
 $queryKey = mysqli_query("SELECT 1 FROM `smf_invites` WHERE `key` =   '$key'");
if (mysqli_num_rows($queryKey))
{
    echo 'A key is corresponding';
}
}
else
{
    echo 'No keys entered';
}

Now my code is giving me errors like 

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in D:\Program Files (x86)\EasyPHP-DevServer-14.1VC11\data\localweb\registration.php on line 32

Warning: mysqli_query() expects at least 2 parameters, 1 given in D:\Program Files (x86)\EasyPHP-DevServer-14.1VC11\data\localweb\registration.php on line 33

Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, null given in D:\Program Files (x86)\EasyPHP-DevServer-14.1VC11\data\localweb\registration.php on line 34
Rameleu
  • 105
  • 10
  • Add error reporting to the top of your file(s) right after your opening PHP tag for example ` – Funk Forty Niner Feb 22 '15 at 22:22
  • Hint: if numrows is more than nothing... – Funk Forty Niner Feb 22 '15 at 22:24
  • Depending on how `key` is generated, you have MySQL injection vulnerabilities. Please instead use `mysqli` instead. – AStopher Feb 22 '15 at 22:41
  • @ʎǝʞuoɯɹǝqʎɔ Using `mysqli_` on its own doesn't safeguard against injection. `mysqli` with prepared statements does. ;-) – Funk Forty Niner Feb 22 '15 at 22:42
  • @Rameleu which MySQL API are you using to connect with and how? You need to precise that. – Funk Forty Niner Feb 22 '15 at 22:47
  • I've changed everything to work with mysqli. I've tested my connection and it's perfectly connected to my database. – Rameleu Feb 22 '15 at 22:59
  • If you're using `mysqli_` and `mysql_` together, that won't work. Use the same API for everything and don't mix them. That's why the answer John gave you, is throwing that error. "resource" is your DB connection that doesn't correspond with the rest of your code/functions. – Funk Forty Niner Feb 22 '15 at 23:02
  • Yes that's what I've told you, I'm now using mysqli for everything, but it's still not working – Rameleu Feb 22 '15 at 23:03
  • Definite "not working". New errors? Are you passing DB connection to the required functions? – Funk Forty Niner Feb 22 '15 at 23:05
  • Now it tells me Connected to databaseYou have entered a key Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in D:\Program Files (x86)\EasyPHP-DevServer-14.1VC11\data\localweb\registration.php on line 32 Warning: mysqli_query() expects at least 2 parameters, 1 given in D:\Program Files (x86)\EasyPHP-DevServer-14.1VC11\data\localweb\registration.php on line 33 Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, null given in D:\Program Files (x86)\EasyPHP-DevServer-14.1VC11\data\localweb\registration.php on line 34 – Rameleu Feb 22 '15 at 23:08
  • **A:** Just as the error says. Pass DB connection to the functions. At this point, I *highly* suggest you post your new code along with the connection code you're using, and replacing credentials with `xxx`. DO NOT overwrite your existing question/code, but marked as **EDIT:** (here is my updated code), under your original question. We will be commenting back and forth otherwise. – Funk Forty Niner Feb 22 '15 at 23:10
  • Simple: You need to pass your DB connection variable to those functions. – Funk Forty Niner Feb 22 '15 at 23:21
  • I don't really understand what you are meaning. – Rameleu Feb 22 '15 at 23:22
  • I've posted an *complimentary* answer below. If that doesn't work, your query is failing. – Funk Forty Niner Feb 22 '15 at 23:26

3 Answers3

2

You have multiple issues with this code

  1. If $_POST['key'] is not set you will get a PHP Notice
  2. $queryKey = mysql_query("SELECT COUNT(*) FROM `smf_invites` WHERE `key` = '$key'"); will always return one row. So checking for the number of rows returned will not work.

Here is updated code that should resolve your issue.

 if( isset($_POST['key']))
 {
    echo 'You have entered a key';
    $key = mysql_real_escape_string($_POST['key']);
    $queryKey = mysql_query("SELECT 1 FROM `smf_invites` WHERE `key` = '$key'");
    if (mysql_num_rows($queryKey))
    {
        echo 'A key is corresponding';
    }
 }

Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.

Your code is also wide open to SQL injections

Zoe
  • 27,060
  • 21
  • 118
  • 148
John Conde
  • 217,595
  • 99
  • 455
  • 496
  • Thank's for your fast answer. I've got this as the output : Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in D:\Program Files (x86)\EasyPHP-DevServer-14.1VC11\data\localweb\registration.php on line 30 – Rameleu Feb 22 '15 at 22:32
  • Your query is failing. Use mysql_error() to find out why. Also, have you verified your connection to MySQL was successful? – John Conde Feb 22 '15 at 22:36
2

In conjunction with John's answer

As per your newly edited code:

mysqli_ requires DB connection be passed for functions.

Change:

$key = mysqli_real_escape_string($_POST['key']);

to:

$key = mysqli_real_escape_string($connect, $_POST['key']);

or (use the variable $key in there instead.)

Then there's:

$queryKey = mysqli_query("SELECT 1 FROM `smf_invites` WHERE `key` =   '$key'");

to:

$queryKey = mysqli_query($connect, 
"SELECT 1 FROM `smf_invites` WHERE `key` =   '$key'") 
or die(mysqli_error($connect));

Troubleshooting/debugging

Add error reporting to the top of your file(s) which will help find errors.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// rest of your code

Plus, or die(mysqli_error($connect))

Sidenote: Error reporting should only be done in staging, and never production.

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
  • Alright this answer helped me finding the problem. The query is now recognizing if there is a corresponding key or not. Thank's a lot for your help, I appreciate ! – Rameleu Feb 22 '15 at 23:29
0

I created a class for you and an example check this out.

<?php
class MyDb {
    protected $link;
    public function __construct() {
        if (!$this->link = mysql_connect('localhost', 'user', 'password')) {
            echo 'Could not connect to mysql';
            exit;
        }

        if (!mysql_select_db('table_name', $this->link)) {
            echo 'Could not select database';
            exit;
        }
    }

    public function exist($id) {
        if (is_int($id)) {
            $sql = "SELECT COUNT(*) FROM smf_invites WHERE `key` = '$id'";
            $result = mysql_query($sql, $this->link);
            return  mysql_num_rows($result);
        } else {
            return false;
        }
    }
}


$x = $_POST['key'] = 1;

if(!empty($_POST['key'])) {
    $db = new MyDb();
    if($db->exist($x)) {
        echo "exist";
    } else {
        echo "no exist";
    }
}
Leandro Papasidero
  • 3,728
  • 1
  • 18
  • 33