1

Possible Duplicate:
php warning mysql_fetch_assoc

i am just implementing a simple part of my website that just takes a variable from the header(subid) checks it with the database and then outputs the other fields related to the variable.

However i am getting this error - 

Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in /home/admin/public_html/report.php on line 14
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/home/admin/public_html/log/log_274b43e6ad_New Text Document (7).txt.txt' at line 1

Here is the code for my page that does it all

include 'connect_to_mysql.php';
$sql_header = mysql_query("SELECT * FROM system");
$header_array = mysql_fetch_assoc($sql_header);
$total_scans = $header_array['total_scans'];
$malware_detected = $header_array['malware_detected'];
$total_users = $header_array['total_users'];

$report_id = $_GET['log'];
var_dump($report_id);
$sql_report = mysql_query("SELECT * FROM logs WHERE log_name='$report_id");
var_dump($sql_report);
$report_array = mysql_fetch_assoc($sql_report) or die(mysql_error());
$file_name = $report_array['file_name'];
$file_size = $report_array['file_size'];
$submission_date = $report_array['submission_date'];
$result = $report_array['result'];
$status = $report_array['status'];

Any ideas on what could be wrong? I have tried everything and checked my database, all the names are correct and everything, i even checked the $report_id variable in the database and it matches, so i am not sure why it is getting an error.

Thanks for the help

Community
  • 1
  • 1
Al Hennessey
  • 2,395
  • 8
  • 39
  • 63
  • Just to add for the var_dumps i am getting - string(72) "/home/admin/public_html/log/log_274b43e6ad_New Text Document (7).txt.txt" for the $report_id and i am getting - bool(false) for the $sql_report. If that helps, thanks again – Al Hennessey Jan 08 '12 at 17:24

3 Answers3

4

Your code it not doing any error checking, so it's no surprise the query breaks silently when it fails. Check for errors and it will tell you what is going wrong - how to do it is outlined in the manual on mysql_query() or in this reference question.. Example:

$sql_report = mysql_query("SELECT * FROM logs WHERE log_name='$report_id");

// Bail out on error 
if (!$sql_report)  
  { 
    trigger_error("Database error: ".mysql_error(), E_USER_ERROR); 
    die();
   }

In your specific case, you are missing a closing ' in

WHERE log_name='$report_id")

Also, the code you show is vulnerable to SQL injection. You need to escape every value you use like so:

$report_id = mysql_real_escape_string($_GET['log']);

for this to work, you need to put every value in your query into quotes.

Community
  • 1
  • 1
Pekka
  • 442,112
  • 142
  • 972
  • 1,088
0

You forgot a quote '$report_id' .

Nicola Cossu
  • 54,599
  • 15
  • 92
  • 98
0

Here there are two things you have to notice :

1) the warning with mysql_fetch_assoc() . This warning will occur when the argument passed to it is not an vaide mysql resource ,ie, the mysql_connect() returned null object(failed to return conection object) . This inturn is caused due to fact that arguments passed to mysql_connect() are bad database credentials.

this case is usualy traped by using 

is_resource($con)

call which returns true if $con is an valid resource.

2) The error as described in the error discription is due to bad syntax of query.

"SELECT * FROM logs WHERE log_name='$report_id"

here you ommited closing brace for $report_id

"SELECT * FROM logs WHERE log_name='$report_id'"

3) data base access : An generel method of accesing database is by using an class , that access the database credentials through Accessor methods like setUname() , SetPasswd() etc , where the method itself will trim , escape and sanitize the credentials before it is passed to database. this will prevent sql injection attack

Vijeenrosh P.W
  • 359
  • 1
  • 3
  • 8