Find method in SQL on my PHP page finds everything, even if the record is null

Question

Ok so I wrote some code to find records on a test database, it works if there is a record and does display the data, if there is no record it still says that it found stuff. It should say it did not. It even finds stuff that is not in the database but obviously has no data to display, its annoying. I need a new pair of eyes.

I think the error is here:

$sql = "SELECT * FROM Kittenzz
        WHERE KittenID='".$_POST['KittenID']."';";
$result = mysql_query($sql, $connection);

But just in case here is the full code minus the login credentials to the db.

<?php
if(isset($_POST['Find'])) 
{
            $connection = mysql_connect("Login Info Deleted");

            // Check connection
            if (!$connection)
        {
            echo "Connection failed: " . mysql_connect_error();
        }
            else
            { //else 1 
                //select a database
                $dbName="Katz";
                $db_selected = mysql_select_db($dbName, $connection); 

                //confirm connection to database
                if (!$db_selected)
                {
                    die ('Can\'t use $dbName : ' . mysql_error());
                }

                else
                { //else 2
            if ($_POST[KittenID]=='')
                    {   
                        $OutputMessage = 'Must add a Kitten-ID';
                    }                       
            else

            {//exception else

                    $sql = "SELECT * FROM Kittenzz
                            WHERE KittenID='".$_POST['KittenID']."';";
                    $result = mysql_query($sql, $connection);

                    while($row = mysql_fetch_array($result))
                    {
                    $Name = $row['Name'];
                    $KittenID = $row['KittenID'];
                    $KittenAge = $row['KittenAge'];
                    $Email = $row['Email'];
                    $Comments = $row['Comments'];
                    $Gender = $row['Gender'];
                    $Passive = $row['Passive'];
                    $Playful = $row['Playful'];
                    $Activity = $row['Activity']; 

                    }

                if ($result)
                {  
                   $OutputMessage = 'Record Found';
                   //echo "<p>Record found<p>";
                }   
                    else
                    {  
                       $OutputMessage = 'RECORD NOT FOUND';

                    }
                }//exception else
            }//else 2 end

                }//else 1 end


            mysql_close($connection);
}

?>

Just a heads up, mysql is deprecated and should not be used anymore, try Mysqli or PDO instead. — Epodax, Mar 24 '15 at 08:46
Professor wants mysql, I should really put a warning about that in my questions. — Pursuer of Dying Stars, Mar 24 '15 at 08:51
Professor saying `MySQL` doesnt necessarily mean you have to use PHP's `mysql` extension. You can use php's mysqli or pdo extension to deal with a mysql database just fine. I'm almost certain he meant MySQL database and not forcefully the `mysql_*` api of PHP. — Hanky Panky, Mar 24 '15 at 08:51
Holly god. I don't know how to work with mysql anymore. I think you have to change $sql to $sql = "SELECT * FROM Kittenzz WHERE KittenID=$_POST['KittenID']"; This will be the first step. — FranMercaes, Mar 24 '15 at 08:59

score 3 · Accepted Answer · edited May 23 '17 at 12:06

3

      if ($result)
      {  
       $OutputMessage = 'Record Found';
      }

There is your mistake, that means if the query executed successfully (even with 0 records) you are saying records found. You should only say that if the number of records returned are more than 0.

      if (mysql_num_rows($result)>0)
      {  
       $OutputMessage = 'Record Found';
      }

But the bigger problem with your code can be solved by this reading

How can I prevent SQL injection in PHP?

edited May 23 '17 at 12:06

Community

1
1

answered Mar 24 '15 at 08:45

Hanky Panky

46,730
8
72
95

I feel so ashamed everyone tells me this, professor is like, yeah I don't except you guys to solve those issues. That's for next semester... – Pursuer of Dying Stars Mar 24 '15 at 08:50
Don't be ashamed, just keep going, keep learning keep asking (when your own attempts fail :P ) and keep improving. Forget everything else – Hanky Panky Mar 24 '15 at 08:54
@user3541786 Are you sure you're not being tested by your professor to escape the user input properly? – jeroen Mar 24 '15 at 09:01
@jeroen I could be, but with how little time I got, I will not risk it. – Pursuer of Dying Stars Mar 24 '15 at 09:10
@user3541786 It's just adding one function call if you are using `mysql_*`. – jeroen Mar 24 '15 at 09:11

score 2 · Answer 2 · answered Mar 24 '15 at 08:52

2

This may happen, because if $_POST['KittenID'] is empty, the sql query would look like : SELECT * FROM Kittenzz WHERE KittenID=""; you have to change the above if statement to:

if (!isset($_POST[KittenID]) || empty($_POST[KittenID]) || $_POST[KittenID]=='')
                {   
                    $OutputMessage = 'Must add a Kitten-ID';
                }

answered Mar 24 '15 at 08:52

lrd

302
2
12

You can just use `empty()` and you will have the other 2 conditions automatically as well. – jeroen Mar 24 '15 at 08:56

Find method in SQL on my PHP page finds everything, even if the record is null

2 Answers2