tags:

views:

60

answers:

4
Q: 

Php Numrows problem

Hello!

I use query string to access my pages. I try to make if anyone type unknown query string manually, then redirect to somewhere..

For example:

Url: test.php?m=1 (this is a valid url) test.php?m=1324234 (this is not a valid url ) test.php?m=1asdaa (this is not a valid url )

include("config/database.inc");
$qm=$_GET['m'];
 $query = "select acc from test where acc=$qm"; 
 $numresults=mysql_query($query);
 $numrows=mysql_num_rows($numresults);
  if ($numrows == 0){
       header("Location: index.php"); 
       exit;
     }

In the database i have two line, LINE 1: acc=1; LINE 2: acc=2;

If i type to the url: test.php?m=12312431, then redirect to index.php 'coz $numrows=0. Thats ok. But if i type: test.php?m=1sdfsfsf, then i got this error msg.: Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in..

How can i do that? Need to check the $_GET['m'] before query from database?

Thank you.

+1  A: 

Do this:

$qm=intval($_GET['m']);
jerjer  2009-10-22 09:40:32
+2  A: 

You should never be placing the value of a GET variable directly into an SQL query without properly filtering and escaping it. Your problem is that you're allowing things which aren't numbers to be put into your SQL query. In this particular case, your test is harmless and just errors, but a malicious user could also do things much more harmful via SQL injection.

Instead, what you really want to do is convert the variable's value to a type that you know is okay (in this case, an integer) and then query the database using that. Try this instead:

include("config/database.inc");
$qm=intval($_GET['m']);
 $query = "select acc from test where acc=$qm"; 
 $numresults=mysql_query($query);
 $numrows=mysql_num_rows($numresults);
  if ($numrows == 0){
          header("Location: index.php"); 
          exit;
     }

Notice the call to intval() which forces the result to be an integer value, instead of potentially harmful strings.

Amber  2009-10-22 09:41:52
A "potentially harmful string" is in this context of course SQL injection. http://en.wikipedia.org/wiki/Sql_injection
Paul Lammertsma  2009-10-22 09:45:54
thank you! (i will read about sql_injection! thank you for the link)
Holian  2009-10-22 12:08:43
Btw. May i check if query string is integer or not? $qm=intval($_GET['m']); This will always convert, but if somone type valid url, then not necessary..
Holian  2009-10-22 12:19:43
i try with is_numeric(). Its a good way?
Holian  2009-10-22 12:27:24
I'd just use intval() anyways. If it's a valid URL, then it will still work, and it's essentially just as fast as calling is_numeric().
Amber  2009-10-22 16:14:59
A: 

if m is invalid, mysql_query will return $query = false.

If you provide "false" to mysql_num_rows, it does not know what query you sent, and correctly get an invalid numrows result, e.g. a failure.

Check that m is integer with intval($m);

Martin Hohenberg  2009-10-22 09:43:54
A: 

As well as validating the input or forcing a typecast as others have suggested to make sure the input makes sense, try to get into the habit of enclosing user-submitted values passed to a query in quotes, e.g.

$query = "select acc from test where acc='$qm'";

Although here you're technically comparing an integer to a string, MySQL allows this (and will still use integer keys where available), and it provides one last line of defence if you forget to filter the input.

Chris Newman  2009-10-22 09:49:56

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases