0

Possible Duplicate:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result

I am getting this error:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/valerie2/public_html/elinkswap/snorris/filename.php on line 89

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/valerie2/public_html/elinkswap/snorris/filename.php on line 90

Here are the lines of code it is talking about:

dbConnect();
    $SQL="SELECT fileID FROM uploads WHERE fileName='".$result."'";
    //echo $SQL;
    $rs=mysql_query($SQL);
    echo mysql_num_rows($rs);    // line 89
    if(mysql_num_rows($rs)!=0){  // line 90
        $extension=strrchr($result,'.');
        $result=str_replace($extension,time(),$result);
        $result=$result.$extension;
    }
    return $result;
}

Can someone explain to me why I keep getting this error?

Community
  • 1
  • 1
sn1984
  • 97
  • 8
  • 3
    **Warning** your code is susceptible to sql injection. – Daniel A. White Nov 30 '11 at 17:08
  • You are not doing any error checking. You *need* to do that after a `mysql_query()` call. Otherwise, as you show, your script will break if the query fails. How to do this is outlined in the [manual on `mysql_query()`](http://php.net/mysql_query) or in this [reference question.](http://stackoverflow.com/questions/6198104/reference-what-is-a-perfect-code-sample-using-the-mysql-extension) – Pekka Nov 30 '11 at 17:08
  • Also, as Daniel already said, the code you show may be vulnerable to [SQL injection](http://php.net/manual/en/security.database.sql-injection.php) if `$result` isn't being escaped. Use the proper sanitation method of your library (like `mysql_real_escape_string()` for the classic mysql library), or switch to PDO and prepared statements. – Pekka Nov 30 '11 at 17:09
  • Where is your database being connected to? Also, don't use `mysql_`, use PDO or `mysqli_`. – Charles Sprayberry Nov 30 '11 at 17:10
  • Is your query running ok? Put the execution like this: `if ($rs=mysql_query($SQL))`and see what you got. –  Nov 30 '11 at 17:10
  • 1
    By the way, if anybody wonders how I manage to write all these comments this quickly, it's thanks to this magnificent userscript: [AutoReviewComments - Pro-forma comments for SE](http://stackapps.com/q/2116) I can highly recommend it! – Pekka Nov 30 '11 at 17:10
  • Parameterized queries are the only way to go if you want secure code. The `mysql_real_escape_string()` method is not foolproof - it will not escape anything that doesn't contain special characters (e.g. `1 or 1=1` will slip through). – Polynomial Nov 30 '11 at 17:10

4 Answers4

2

This is because your mysql_query has failed because of syntax or execution errors in the SQL command.

Make sure you can execute your SQL query (the one that you get using echo $SQL; line) in phpMyAdmin or whatever tool you have.

Whenever mysql_query fails, it returns False instead of a mysql resource. So you should always check if (!$rs) or use the or die(...) mechanism.

Hossein
  • 4,097
  • 2
  • 24
  • 46
1

You query has failed, so $rs holds boolean false, which will result in that error. You need to do something like:

dbConnect();

$query = "SELECT fileID
          FROM uploads
          WHERE fileName='".mysql_real_escape_string($result)."'
          LIMIT 1";
// Added LIMIT 1 for speed - you are only checking if the record exists, so you
// can stop as soon as you find one.

if (!$rs = mysql_query($query)) {
  // Handle query error here
  // e.g.
  echo "Oh no! The query failed! Error: ".mysql_error();
  // BUT you should NEVER show the result of mysql_error() in a production environment!
}

if (mysql_num_rows($rs)) { // This is sufficient for detecting whether there were any results
  // A better way of doing what you did:
  $result = explode('.',$result);
  array_splice($result,-1,0,time());
  $result = implode('.',$result);
  // This is better, because str_replace() will replace ALL occurrences of the
  // extension - this way only inserts the timestamp before the extension and
  // doesn't ever do anything else
}

return $result;
DaveRandom
  • 87,921
  • 11
  • 154
  • 174
1

While the error is being reported here:

echo mysql_num_rows($rs);

The cause of the error is here:

$SQL="SELECT fileID FROM uploads WHERE fileName='".$result."'";
//echo $SQL;
$rs=mysql_query($SQL);

Likely candidates are:

  1. $result contains un-escaped quotes leading to the SQL being malformed - and also your code is susceptible to SQL injection attacks

  2. You didn't call mysql_connect() before this code executes

  3. you didn't select a database (and haven't qualified the table name in the query) before this code executes.

  4. you don't have a table called uploads in the current DB, or this table doesn't contain columns named fileID or fileName

Issue 1 should be evidence if you uncomment the 'echo $SQL;', issues 2, 3 and 4 would be evident if you check mysql_error() after calling mysql_query();

symcbean
  • 47,736
  • 6
  • 59
  • 94
  • Well my database name is tblFile and I have a folder name uploads that the uploads will go too. I am sorry just confused about this a little bit,this is the first time trying to get files to be uploaded. – sn1984 Nov 30 '11 at 17:27
0

You should see what mysql_error() says, place it after the mysql_query; 

mysql_query($SQL) or die(mysql_error());

This should produce an error, which is why your code isn't going any further than the query function thus making your num_rows invalid.

MacMac
  • 34,294
  • 55
  • 151
  • 222