-1

I am trying to see if there is a match from a form to my database. here is my php code:

    <?php
$host="localhost"; // Host name
$username="****"; // Mysql username
$password="*****"; // Mysql password
$db_name="*****"; // Database name
$tbl_name="public"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");


$door=$_POST['door'];
$postcode=$_POST['postcode'];

// To protect MySQL injection (more detail about MySQL injection)
$door = stripslashes($door);
$postcode = stripslashes($postcode);
$door = mysql_real_escape_string($door);
$postcode = mysql_real_escape_string($postcode);

$sql="SELECT * FROM $tbl_name WHERE door ='$door' AND postcode='$postcode' AND active = 'not_activated' AND ref = '". $_SESSION['ref']."'";
$result=mysql_query($sql);


$count=mysql_num_rows($result);


if($count==1){
header("location:securityquestion.php");
}

?>

the error message i am getting is as follows:

Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in /home/jahedhus/public_html/system/checkdetails.php on line 36

line 36 is $count=mysql_num_rows($result);

what am i doing wrong here?

Chris Laplante
  • 29,338
  • 17
  • 103
  • 134
Jahed Hussain
  • 113
  • 1
  • 1
  • 7
  • does the table "public" exist? – iBiryukov Feb 24 '12 at 01:07
  • yes the public table does exist – Jahed Hussain Feb 24 '12 at 01:08
  • 1
    The query failed, that's why you get a boolean (false) instead of a resource. add "or die(mysql_error())" after your query statement to see the error message – iBiryukov Feb 24 '12 at 01:09
  • 1
    Something is wrong with your SQL command. It seems the table name or one of the field names is wrong or does not exist. – J. Bruni Feb 24 '12 at 01:13
  • 1
    There is also a chance that `$_SESSION['ref']` contents are breaking the query, specially if it contains an unescaped quote... add an `echo $sql;` and let us know the final query string. – J. Bruni Feb 24 '12 at 01:18
  • @J.Bruni, your absolutely right! i had door_no in my database not door as a field name. thanks – Jahed Hussain Feb 24 '12 at 01:18
  • possible duplicate of [mysql\_fetch\_array() expects parameter 1 to be resource, boolean given in select](http://stackoverflow.com/questions/2973202/mysql-fetch-array-expects-parameter-1-to-be-resource-boolean-given-in-select) – Jocelyn Apr 25 '13 at 01:10

4 Answers4

1

Because, just like many, many others here, the code blindly assumes that the query succeeded and everything is fine. Check for errors after each operation. Most of the functions return false when they fail.

Ignacio Vazquez-Abrams
  • 776,304
  • 153
  • 1,341
  • 1,358
1

Because your query failed.

php.net/mysql-query: "For SELECT, SHOW, DESCRIBE, EXPLAIN and other statements returning resultset, mysql_query() returns a resource on success, or FALSE on error."

Try this:

$result=mysql_query($sql) or die(mysql_error());
Roman Newaza
  • 11,405
  • 11
  • 58
  • 89
0

You need to do two things:

  1. Find out what the MySQL error is, as already suggested

    $result=mysql_query($sql) or die(mysql_error());

  2. You need to sanitize everything that goes into the query. Although you sanitize $door and $postcode, you don't sanitize $_SESSION['ref']. You should and run it through mysql_real_escape_string(). I don't know what you are storing in it, but perhaps that's where the code is breaking because of unescaped characters?

In theory I guess $_SESSION is stored server side, but personally I still wouldn't trust it, and I'd escape everything that goes into a MySQL query.

fred2
  • 1,015
  • 2
  • 9
  • 29
0

I think answer lies in the curly braces: 

$sql="SELECT * FROM $tbl_name WHERE door ='{$door}' AND postcode='{$postcode}' AND active = 'not_activated' AND ref = '". $_SESSION['ref']."'";
$result=mysql_query($sql);
Alireza
  • 6,497
  • 13
  • 59
  • 132