-2

Possible Duplicate:
mysql_fetch_array() expects parameter 1 to be resource, boolean given in select 

<?php
    include 'connect.php';
    include 'header.php';

    $page = "signup.php";
    // receive the invite code:
    $code = $_POST['code'];
    $sql = "SELECT codes FROM invites WHERE codes='$code'";
    // check the table for matching codes
    $result = mysql_query($sql);
    // check if the request returned 1 or 0 rows from the database
    if (mysql_query($result)) {
        // end any previously defined sessions.
        session_start();session_unset();session_destroy();
        // start a new session
        session_start();
        // define the session variable.
        // this allows us to check if it's set later and is required for
        // the script to run properly.
        $code = $_POST["code"];
        mysql_query("DELETE FROM invites WHERE codes='$code'");
        header('Location: '.$page);
        exit;
    } else {
        echo "Invite invalid. Please try again later.";
        echo $code;
    }

    include 'footer.php';
?>

I am trying to implement an invite system to a webpage I am working on. However when trying to evaluate if there is a row containing the invite code I keep either getting nothing or this warning. The warning in this case but if I change the if state to ==1, it allows everyone regardless of code and ==0 does throws different errors.

Community
  • 1
  • 1
Coffee
  • 11
  • 1
  • 5
  • You are not testing your query for errors. See the PHP manual on mysql_query(), or [Reference: What is a perfect code sample using the mysql extension?](http://stackoverflow.com/q/6198104) – Pekka Oct 03 '11 at 22:29
  • Out of curiosity, where did you learn this code from? Because there is such an *awful* lot of mysql_query code shown on SO that doesn't check for errors, even though all the examples in the PHP manual do. I would like to understand why – Pekka Oct 03 '11 at 22:30
  • Also, your code is vulnerable to http://php.net/manual/en/security.database.sql-injection.php – Pekka Oct 03 '11 at 22:30
  • I am still learning PHP and mysql, none if this is online right now just trying to get the concept of what I want together as well as learning how to query properly while doing what I want with the project. The bad query's come from my own laziness. – Coffee Oct 03 '11 at 22:44
  • fair enough :) Just get the return value from `$mysql_query()`, and if it is false, output `mysql_error()` to see what the error is. (C. Ramseyer below points out the main mistake in this case) – Pekka Oct 03 '11 at 22:46
  • The error is mysql_error() expects parameter 1 to be resource, null given in – Coffee Oct 03 '11 at 23:04

3 Answers3

3
if (mysql_query($result)) {

Try mysql_num_rows there.

C. Ramseyer
  • 2,242
  • 1
  • 18
  • 21
  • I have altered my code accordingly but still no luck getting "mysql_num_rows() expects parameter 1 to be resource, string given" – Coffee Oct 03 '11 at 22:58
1

There are a few things wrong here.

1) SQL Injection vulnerabilities, don't ever pass a superglobal $_POST or $_GET or any other user-supplied variable directly inside your query! Use at minimum mysql_real_escape_string() to the variable before letting it into the query, or better look into parametrized queries, it's the best way to avoid SQL vulnerabilities

2) 

$result = mysql_query($sql);
// check if the request returned 1 or 0 rows from the database
if (mysql_query($result)) ....

This doesn't check if request returns 1 or 0 rows, you should use mysql_num_rows() here instead

if(mysql_num_rows() == 1)  //or whatever you need to check

3)

session_start();session_unset();session_destroy();
// start a new session
session_start();

session_start() should be called before anything in your page. Don't know why this redundancy of calling, unsetting, destroying, recalling it here. If you want another id, just use session_regenerate_id();

And as already said by other, use some error reporting in your query, something like 

$result = mysql_query($sql) or die(mysql_error())

to actually see what's failed, where and why.

Damien Pirsy
  • 25,003
  • 8
  • 68
  • 77
0

Problem is your query. First of all check your statement and use this :

$result = mysql_query($sql) or die(mysql_error());

instead of this 

$result = mysql_query($sql);

So, you can see are there any error at your SQL query .

Eray
  • 6,897
  • 15
  • 65
  • 118
  • Tried this, and dumb mistake that not being there in the first place. Still no dice or error besides the one posted. – Coffee Oct 03 '11 at 22:33