mysql error: not a valid mysql resource

Question

I have a problem when i try to check if email is alredy registered. can someone help? I have this error:

mysql_fetch_array(): supplied argument is not a valid MySQL result resource in line...

($record =mysql_fetch_array($result); )

<?php
    $nome = $_REQUEST["nome"];
    $cognome = $_REQUEST["cognome"];
    $psw = $_REQUEST["psw"];
    $email = $_REQUEST["email"];
    $nikName = $_REQUEST["nikName"];

    $conn = mysql_connect("host,name","userName","Password","databaseName");

    if(!$conn) {
        echo "connessione non satabilita";
    } else {
        if(!mysql_select_db("databaseName",$conn)) {
            echo "database non trovato";
        } else {
            $sql = "select * from utenti where User='$email'"; //costruzione comando di ricerca
            $result = mysql_query($sql,$conn); //assegnazione risultati
            $record =mysql_fetch_array($result); //estrazione primo risultato
            if(!$record) {
                $sql = "INSERT INTO User (UserId, Nome, Cognome, Email, Username, Password, TimeStamp) VALUES (NULL,'$nome','$cognome','$email','$nikName','$psw', NULL)";
                $result=mysql_query($sql);
                if($result) {
                    echo "utente registrato correttamente";
                } else {
                    //Error
                    echo "errore registrazione, riprovare più tardi";
                }
                echo "<br />";
                echo "utente registrato";
            } else {
                echo "utente gia registrato";
            }
        }
    }
?>

Ragazzo... `mysql_connect(1,2,3,4)` doesn't do what you think, #4 that is. http://php.net/manual/en/function.mysql-connect.php — Funk Forty Niner, Sep 02 '15 at 16:02
Before you continue to write your application, you might **want** to migrate to **PDO with Prepared Statements** before. The mysql_* functions are **deprecated** as of PHP 5.4 and will be removed as of PHP 7. — Charlotte Dunois, Sep 02 '15 at 16:05
If you can, you should [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) [statements](http://php.net/manual/en/pdo.prepared-statements.php) instead, and consider using PDO, [it's really not hard](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Sep 02 '15 at 16:05
[Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Jay Blanchard, Sep 02 '15 at 16:06
You really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. — Jay Blanchard, Sep 02 '15 at 16:06

score 1 · Answer 1 · edited Mar 17 '17 at 10:45

Before this gets out of hand.

$conn = mysql_connect("host,name","userName","Password","databaseName");

You're using 4 parameters rather than 3.

Sidenote: 4 parameters is mysqli_ syntax http://php.net/manual/en/function.mysqli-connect.php
Be careful though, those different MySQL APIs do not intermix. So you cannot have mysql_ with mysqli_ should you decide to change it to that.

The manual http://php.net/manual/en/function.mysql-connect.php states:

$link = mysql_connect('localhost', 'mysql_user', 'mysql_password');

the fourth is for something else.

If a second call is made to mysql_connect() with the same arguments, no new link will be established, but instead, the link identifier of the already opened link will be returned. The new_link parameter modifies this behavior and makes mysql_connect() always open a new link, even if mysql_connect() was called before with the same parameters. In SQL safe mode, this parameter is ignored.

So, just remove the 4th parameter.

Sidenote: This is questionable "host,name" (with the comma). Double check it as to what your host (if hosted) has provided you with. Most of the time, that should read as "localhost".

As stated, you're open to SQL injection.

Use a prepared statement:

https://en.wikipedia.org/wiki/Prepared_statement

As for the rest of your code:

Add error reporting to the top of your file(s) which will help find errors.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// rest of your code

Sidenote: Displaying errors should only be done in staging, and never production.

Also add or die(mysql_error()) to mysql_query().

About you're wanting to check if an email exists; you may be better off using mysql_num_rows().

I.e.:

$sql = "select * from utenti where User='$email'";

$result = mysql_query($sql,$conn) or die(mysql_error($conn));

    if(mysql_num_rows($result) > 0)
    {...}

        else {...}

I noticed you may be storing passwords in plain text. If this is the case, it is highly discouraged.

I recommend you use CRYPT_BLOWFISH or PHP 5.5's password_hash() function. For PHP < 5.5 use the password_hash() compatibility pack.

Also, this doesn't help you:

if(!mysql_select_db("databaseName",$conn)){
                            echo "database non trovato";
                        }

This does:

if(!mysql_select_db("databaseName",$conn)){
    die ('Can\'t use the database : ' . mysql_error());
}

In order to get the real error, should there be one.

Reference:

http://php.net/manual/en/function.mysql-select-db.php

@HawasKaPujaari the choice is yours. However, the OP may not know what to do after, in regards to querying. — Funk Forty Niner, Sep 02 '15 at 16:16
That drive by dv, yeah... well I'm sure snakes don't talk like humans do, so don't waste your breath; it's most likely going to pollute the air. — Funk Forty Niner, Sep 03 '15 at 15:49

score 0 · Answer 2 · answered Sep 02 '15 at 16:14

As mentioned above there is a syntax error with mysql_connect(); where you're trying to use invalid number of params. The best way is to make a config.php file and then use it whenever you need it. This is a basic connection code in PDO.

<?php
$host = "localhost";
$database = "yourdbnamehere"; 
$username = "yourusernamehere";
$password = "yourpasswordhere";

try {
$dbo = new PDO('mysql:host='.$host.';dbname='.$database, $username, $password);
} catch (PDOException $e) {
print "Error!: " . $e->getMessage() . "<br/>";
die();
}
?>

score 0 · Answer 3 · answered Sep 02 '15 at 16:48

You will need a solution like this. But you must switch towards PDO or MySQLi to ensure that your code stays valid in long run as well as you will be able to write secure and stable code.

Go through these at first:

http://php.net/manual/en/book.pdo.php

http://php.net/manual/en/book.mysqli.php

An example code for you solving your current problem:

<?php
    $nome = $_REQUEST["nome"];
    $cognome = $_REQUEST["cognome"];
    $psw = $_REQUEST["psw"];
    $email = $_REQUEST["email"];
    $nikName = $_REQUEST["nikName"];
    try{
        $pdo = new PDO('mysql:dbhost=hostname; dbname=databaseName', 'userName', 'Password');
    } catch (PDOException $e) {
        echo "Error connecting to database with error ".$e;
        die();
    }

    // check for email

    $sql = $pdo->prepare("select * from utenti where User= ?");
    $sql->bindParam('1', $email);
    $sql->execute();

    /* if you aren't hashing the password,
    then do it first
    $psw = PASSWORD_HASH($psw, PASSWORD_DEFAULT);
    */

    // Insert if email not registered
    if($sql->rowCount() == 0) {
        $insert = $pdo->prepare("INSERT INTO User (Nome,Cognome,Email,Username,Password) VALUES (?, ?, ?, ?, ?)");
        $insert->bindParam('1', $nome);
        $insert->bindParam('2', $cognome);
        $insert->bindParam('3', $email);
        $insert->bindParam('4', $nikName);
        $insert->bindParam('5', $psw);
        $insert->execute();
        if($insert->rowCount() > 0) {
            echo "utente registrato correttamente";
        } else {
            echo "errore registrazione, riprovare più tardi";
        }
    } else {
        echo "utente gia registrato";
    }
?>

mysql error: not a valid mysql resource

3 Answers3