-1

i've got this part of code in my php app 

$find_user = "SELECT * FROM tcms_module_profiles WHERE profile_contact_email = ".$_POST['email'];
$num_rows = mysql_num_rows(mysql_query($find_user));

that return this error message:

mysql_num_rows() expects parameter 1 to be resource, boolean given

But i'm passing a query result to mysql_num_rows(). I've checked the query and it's correct (because if i execute it on phpMyAdmin it return the record).

Thanks in advance for all the help

giovaZ
  • 1,432
  • 3
  • 20
  • 62
  • Your query fails, so `mysql_query` will return false and not an object. Put some single quotes around your input string: `$_POST["email"]` – Rizier123 Nov 24 '15 at 10:27
  • 2
    as a suggestion you should better use mysqli (mysql improved ) because mysql is deprecated in newer version of php.. – Manoj Salvi Nov 24 '15 at 10:31
  • 1
    @ManojSalvi is right, but I'd put it much more strongly than that... the `mysql_xxx()` functions in PHP are obsolete and have been so for a very long time. If you're using them, then your code is obsolete. If you're just learning PHP and using them, then your tutorial is obsolete. Find one that is more up to date. – Simba Nov 24 '15 at 10:39
  • 2
    Also, since nobody else has mentioned it, you should **never** put a `$_POST` variable directly into a SQL string like that. It is wide open to being hacked. Look up [How can I prevent SQL-injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) for more info on this. – Simba Nov 24 '15 at 10:41
  • Hi i'm using mysql_xxx functions beacause i'm working with an old website project. – giovaZ Nov 24 '15 at 11:18

4 Answers4

2

You need to put your profile_contact_email values in quotes because to insert VARCARE field we need quotes around it. And use mysql_real_escape_string in your query to prevent sql injection

$email = mysql_real_escape_string($_POST['email']);
$find_user = "SELECT * FROM tcms_module_profiles WHERE 
profile_contact_email = '".$email."'";
$result = mysql_query($find_user);
$num_rows = mysql_num_rows($result);

Note:- mysql is deprecated instead use mysqli or PDO

Saty
  • 22,443
  • 7
  • 33
  • 51
  • there is no downvote; just zero up and zero down. Maybe someone withdrew their upvote. Anyway, your suggestion doesn't fix the blatant SQL injection hole, so I'm tempted to downvote you. (I haven't because you did at least suggest using PDO instead, but you really shouldn't be suggesting a solution with such an obvious security hole. – Simba Nov 24 '15 at 10:45
  • We just suggest OP to use mysqli or pdo not gonna provide solution in PDO or mysqli. Well I also provide `mysql_real_escape_string` to prevent OP code for open sql injection in mysql – Saty Nov 24 '15 at 10:49
1

Your SQL query failed, resulting in mysql_query returning a boolean FALSE value. It failed because you didn't use quotes around your email.

Your script is also open to SQL injection, btw.

Wayne Whitty
  • 19,513
  • 7
  • 44
  • 66
0

Use the following code:

 $find_user = "SELECT * FROM `tcms_module_profiles` WHERE `profile_contact_email`='{$_POST['email']}';";
 $result = mysql_query($find_user);
 if(!$result){die("ERROR");}
 $num_rows = mysql_num_rows($result);

Your code was missing '' around $_POST['email'] and you should check first for the query to be true. mysql_ is deprecated use mysqli_ or PDO extension. Mysqli & PDO

A mysqli version of above code

$find_user = "SELECT * FROM `tcms_module_profiles` WHERE `profile_contact_email`='{$_POST['email']}'";
     $result = mysqli_query($find_user);
     if(!$result){die("ERROR");}
     $num_rows = mysqli_num_rows($result);

Note - you also need to change your mysql connection variables according to mysqli.

Community
  • 1
  • 1
mega6382
  • 9,211
  • 17
  • 48
  • 69
  • hi i recive this error with your code: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'profile_contact_email = 'emailposted' at line 1 – giovaZ Nov 24 '15 at 11:14
-1

Try this...

$find_user = "SELECT * FROM tcms_module_profiles WHERE profile_contact_email = '".$_POST['email']."'";
William Madede
  • 727
  • 4
  • 8
  • This does not provide an answer to the question. To critique or request clarification from an author, leave a comment below their post. - [From Review](/review/low-quality-posts/10317284) – IKavanagh Nov 24 '15 at 11:47
  • What do you mean it doesn't provide the answer..? that is an answer isn't it? he wanted to solve his error, i gave out the code that solves the error. Or..? – William Madede Nov 24 '15 at 12:01
  • It does provide an answer, but it's not very good. You should try to always add some description of the problem and how your solution tries to solve it in addition to a code snippet. – Artjom B. Nov 24 '15 at 13:13
  • An answer is a solution. You haven't provided a solution you've provided something for the questioner to **try**. It is not clear that this answers the question. That is where the comment comes in in my opinion. If you want to make this a better answer than make it definite that it is a solution to the problem and not something that **might** work. – IKavanagh Nov 24 '15 at 14:07
  • @Artjom how more good does it have to be if its working? You should have just said i should have provided the description too...not that my answer is not good. An answer is already good if it works.@IKavanagh my answer is fixing his query and working. Thats a solution. Its not something that might work, its something thats working. The answer is pretty clear to the question,what do you mean its not? Dont just comment without understanding. – William Madede Nov 24 '15 at 14:27