0

I have a page where I am using a parameter in the URL as a filter for my SQL query. I created a variable from the URL parameter:

$station = htmlspecialchars($_GET["station"]);

Then set up a conditional query depending on whether or not the URL parameter is set:

if(isset($_GET['station'])) {
    $query = "SELECT * FROM song_of_the_day WHERE station = '$station'";
}
else {
    $query = "SELECT * FROM song_of_the_day WHERE end_date >= CURDATE()";
}
    $result = mysql_query($query) or die(mysql_error());
    $num_rows = mysql_fetch_row($result);

Then I display the results in a table:

echo "<table width='758' border='0' cellpadding='10' cellspacing='0' class='myTable'>";
while($row = mysql_fetch_array( $result )) {
echo '<tr>';
echo '<td align="left" width="48">' . $row['station'] . '</td>';
echo '<td align="left">' . date('M j, Y',strtotime($row['end_date'])) . '</td>';
echo '<td width="24" align="left"><a href="edit.php?id=' . $row['id'] . '"><img src="http://yourligas.yourli.com/ad-inventory/edit.png" border="0"></a></td>';
echo '<td width="24" align="left"><a href="delete.php?id=' . $row['id'] . '" data-confirm="Are you sure you want to delete this entry?" ><img src="http://yourligas.yourli.com/ad-inventory/remove.png" border="0"></a></td>';
echo "</tr>"; 
echo '</tbody>';
    } 
echo "</table>";

The query works find when the ELSE command uses the query, where I'm not relying on the parameter in my SQL, but the problem I am seeing when the URL parameter ISSET is only one row gets displayed from the query when there is more than one row that matches the criteria in the actual database. Does anybody know why this is happening?

Thank you

Don Israel
  • 11
  • 4
  • You should not be using mysql. Look at PDO, PLEASE! – Shiv Oct 26 '16 at 19:03
  • ***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Oct 26 '16 at 19:03
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Oct 26 '16 at 19:03
  • 1
    Stackoverflow on MySQL. (1) Ask question (2) Have it ignored and instead be told about PDO. – Luke Oct 26 '16 at 19:07
  • Which is a perfectly valid response. mysql_ have been deprecated for over a decade now. Using it is a security hazard, and usually involves horribly insecure code. – junkfoodjunkie Oct 26 '16 at 19:08
  • The questions are not being ignored @Luke. The OP *is* being educated. – Jay Blanchard Oct 26 '16 at 19:09
  • Btw - what IS the `$_GET['station']`-variable? Give us an example, please. And, then, show us what is stored in the database - both for the result you do get, and for any other rows you think should match. Just to make sure there isn't something there creating problems. – junkfoodjunkie Oct 26 '16 at 19:10
  • If you're adding special characters does your database expect them? – Jay Blanchard Oct 26 '16 at 19:11

1 Answers1

-1

In this line, you appear to be consuming the first row of data while attempting to get the number of rows found:

$num_rows = mysql_fetch_row($result);

This removes the first row from your result cursor.

Instead, you probably meant to do the following:

$num_rows = mysql_num_rows($result);
Sam Dufel
  • 17,560
  • 3
  • 48
  • 51