ansaurus

Question

Answer 1

+1 A:

If you're going to fetch all records anyway count the records on the client-side (as seen from the MySQL's perspective, i.e. your php script).
If you're using an unbuffered query fetch all records first then call the function/methods that counts the result records (e.g. mysql_num_rows() ). If you're using a buffered query the order of function/method calls doesn't matter.

p.s.: You only get the value of "the last record" because using an aggregate function like Count() without a GROUP BY clause makes all records one group. see http://dev.mysql.com/doc/refman/5.1/en/group-by-functions.html
MySQL allows you to select columns that are not part of the GROUP BY clause, but http://dev.mysql.com/doc/refman/5.1/en/group-by-hidden-columns.html says:

When using this feature, all rows in each group should have the same values for the columns that are ommitted from the GROUP BY part. The server is free to return any value from the group, so the results are indeterminate unless all values are the same.

VolkerK 2010-03-31 19:33:46

That was a really great, informative response, if I could vote up multiple times I would. Just one question, you mentioned buffered and unbuffered query, what is the difference?

Scarface 2010-03-31 20:56:53

A buffered query transfers all result records from the MySQL server to the php process before the function/method returns (e.g. mysql\_query()) while the data for an unbuffered query (e.g. mysql\_unbuffered\_query) is only transferred when you actually fetch a record, see http://dev.mysql.com/doc/refman/5.0/en/mysql-use-result.html

VolkerK 2010-03-31 21:11:17

Thanks a lot for your time. Really appreciate it.

Scarface 2010-03-31 21:25:15

Answer 2

+1 A:

Why do you need count for each row? You only need to fetch it once, you can use mysql_num_rows for that:

$res = mysql_query("SELECT * FROM new_messages WHERE username='$session->username");
$count = mysql_num_rows($res);

Or you can fetch the count directly:

list($count) = mysql_fetch_row(mysql_query("SELECT COUNT(*) FROM new_messages WHERE username='$session->username"));

Rob 2010-03-31 19:41:46

appreciate the response

Scarface 2010-03-31 20:50:06

Answer 3

+1 A:

Well, first of all, you shouldn't be using mysql_fetch_assoc() because the mysql_ functions are obsolete.

At the least, you should switch to using the MySQL Improved Extension (mysqli) functions or alternatively the more general PDO functions.

If you use mysqli, you can use mysqli_result->num_rows() to count the number of rows in your result, there's a code example on that page showing how to use it.

PDO has no function for counting rows in a result set, but you can use fetchAll() and then just check the size of the array you fetched into.

And just for completeness, if you stick with the mysql_ functions (which you shouldn't, because you're risking security problems), you could use mysql_num_rows().

Chad Birch 2010-03-31 19:42:23

that was a really interesting response. I always appreciate responses that go above and beyond and teach me more then I bargained for. \ I have never heard of the pdo or mysqli extensions. Why are they better and which one is better pdo, or mysqli? You mentioned security, but can I not just use mysql_real_escape_string? Do they increase performance, or are just easier to use?

Scarface 2010-03-31 20:49:08

I don't know that one or the other is particularly "better", PDO is built to work with multiple databases though, while mysqli applies only to mysql. This can mean that learning PDO could be more useful, because you would be able to use the same PDO functions if you ever work on a different database backend, such as postgresql or sqlite. The main advantage of using these instead of the basic mysql functions is that they support Parameterized Statements which make SQL injection impossible: http://en.wikipedia.org/wiki/Sql_injection#Parameterized_statements

Chad Birch 2010-03-31 21:16:39

If you stick to using `mysql_real_escape_string` you *should* be safe, but if someone ever finds a vulnerability in that function, all your code will suddenly be exploitable. This is the reason that `mysql_real_escape_string` even exists in the first place, because a hole was discovered in `mysql_escape_string`. This is a non-issue with parameterized statements.

Chad Birch 2010-03-31 21:18:37

does PDO work with ORACLE. I was just curious, because if mysql ever becomes obsolete in a sense that my data build up becomes too large, I would obviously have to switch databases. Thanks a lot for your responses, really appreciate it.

Scarface 2010-03-31 21:24:37

also you said paramaterized, couldn't someone just use a malicious parameter. Because those parameters would still be userinput right? Or is the input checked in the parameter equation?

Scarface 2010-03-31 21:27:59

Yes, it supports Oracle, the list of drivers currently available is here: http://php.net/manual/en/pdo.drivers.php As for parameters, no, the purpose of parameters is to make it impossible for the value to "break out" into the query. They take care of any necessary escaping/etc for you.

Chad Birch 2010-03-31 21:47:47

thanks again chad

Scarface 2010-03-31 23:33:26

ansaurus

tags:

views:

answers:

MySql: Select all entries with count...

related questions