PHP/SQL mysql_num_rows() error

Question

I'm having issues executing this code: http://tinyurl.com/m9zoscy Sorry I had to put it on Google Drive StackOverflow was being fussy about the code... Annnyway i'm having issues on line 18. Any ideas?

This is my code:

<link rel="Stylesheet" type="text/css" href="style.css" />
<link href='http://fonts.googleapis.com/css?family=Karla:400,700,700italic,400italic' rel='stylesheet' type='text/css'>
<?php
$filename = 'install.php';
if (file_exists($filename)) {
echo ("<center><font color='red'><b>/install.php still exists<br>
After installing please delete install.php</center></font></b>");
} else {
    if (isset($_POST['Login'])){
    include('config.php');
        if (!mysql_connect($host, $username, $password)) die("Can't connect to database");
        if (!mysql_select_db($db_name)) die("Can't select database");
        $myusername=$_POST['myusername'];
        $mypassword=$_POST['mypassword'];

        $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
        $result=mysql_query($sql);
        $count=mysql_num_rows($result);
        if($count >= 1){
        session_register("myusername");
        session_register("mypassword");
        header("location: index.php");
        } else {
            echo "<center><font color='red'><b>Wrong Username or Password</center></font></b>";
        }
    }
?>
<br>
<form method="post" action=""><td>
<table width="325" border="0" align="center" cellpadding="2" cellspacing="0" bgcolor="#212121">
<td><table width="100%" border="0" cellpadding="3" cellspacing="0" bgcolor="#404040"></td>
<tr colspan="3"><strong><center> <font color="ECECEC"> Admin Login </font></center></strong></tr>
<tr>
<td>
<font color="ECECEC">Username </font><input name="myusername" type="text" 
id="myusername">

<font color="ECECEC">Password </font><input name="mypassword" type="password" id="mypassword">
</td>
<center><td><input type="submit" name="Login" value="Login"></td></center>
</table></table>
</form>
<?php
}
?>

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /-----/---------/-------/loader/login.php on line 18 — Killpot, May 29 '14 at 22:43
Way to annoy someone: post a link to some code without line numbers, and then to a place where it won't let me hit the back button! — Mike W, May 29 '14 at 22:44
That means that there was an error in your query. Also, please look up "SQL Injection" — Ben D, May 29 '14 at 22:44
First off, you should not be using mysql_query. This is a deprecated feature and will be removed. This is due to the innate security issues that are related to the mysql function family. Please use PDO or mysqli for proper security. — justinpage, May 29 '14 at 22:45
Also, you are not aloud to just post code without any explanation. StackOverflow is informing you that you need to explain the issue you are encountering and what solutions have you tried. Just pasting code and expecting an answer is not proper for the community. — justinpage, May 29 '14 at 22:47

score 0 · Answer 1 · edited May 29 '14 at 23:27

0

$tbl_name is not defined.

By the way: check for if $result before you proceed.

edited May 29 '14 at 23:27

Javier

11,494
4
43
54

answered May 29 '14 at 22:43

ratmalwer

693
5
12

Same error persists D: – Killpot May 29 '14 at 22:50

Jean-François Savard · Accepted Answer · 2014-05-29T22:54:49.037

0

Edit : $tbl_name is not defined in the code you pasted.

Else

Your $result variable seems to be invalid...

try catching the connection into a variable and give it to mysql_query :

<?php

$link = mysql_connect($host, $username, $password);
mysql_select_db($dbname, $link);

$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";

$result = mysql_query($sql, $link);
$num_rows = mysql_num_rows($result);


?>

Or maybe your select is just invalid... Try doing an echo and execute the output in your db program.

edited May 29 '14 at 22:54

answered May 29 '14 at 22:47

Jean-François Savard

20,182
6
46
71

Any specific/special way I should declare it? – Killpot May 30 '14 at 00:12
declare what ? $tbl_name ? $sql ? Also, it would be easier for me to help you if you give me an echo of the sql so I can make sure it is valid. – Jean-François Savard May 30 '14 at 00:17
yeah to declare $tbl_name – Killpot May 30 '14 at 00:25
$tbl_name="yourTableName"... or add an other input to your form to retrieve it like you did for the username and password. – Jean-François Savard May 30 '14 at 00:27
this came out from the sql echo "SELECT * FROM members WHERE username='Killpot' and password='! **********'" – Killpot May 30 '14 at 00:35
Syntax seems good. If you copy that statement into your database tool (I recommend MySQL workbench) do you have any error ?. – Jean-François Savard May 30 '14 at 00:37
Bingo, members table hasn't been created yet – Killpot May 30 '14 at 00:50
The first thing I do when having a problem using a SQL statement in other language is trying the output of that statement directly in the editor. Doing this will save you lot of time like this time in the future. – Jean-François Savard May 30 '14 at 00:53

score 0 · Answer 3 · answered May 29 '14 at 22:48

The not a valid resource error means that your query failed (generally it's the result of an invalid MySQL query. In this case I'm betting that it's because $tbl_name is not defined (at least not anywhere in the code you showed). Try echoing the mysql command to make sure it looks OK.

Also, your code is just asking to get hacked. You directly insert _POSTed variables into a MySQL command, which means you WILL be the victim of an SQL injection attack: http://bobby-tables.com/.

Try moving away from the mysql_* commands and try PDO or mysqli and parametrize your queries.

PHP/SQL mysql_num_rows() error

3 Answers3