tags:

views:

45

answers:

6
Q: 

PHP MySQL? Problem

I am using a simple PHP script for the activation part of one of my applications. The applications posts one variable to the page (http://validate.zbrowntechnology.info/WebLock.php?method=validate). The variable is the serial number, posted as 'Serial'. Each time I post to this page, it returns Invalid. Here is the code:

<?php

$serial = $_POST['Serial'];
$method = $_GET['method'];

$con = mysql_connect("HOSTHERE", "USERHERE", "PASSHERE");
if(!$con) {
  die('Unable to connect to MySQL:  ' . mysql_error());
}


if($method == "validate") {

  mysql_select_db("zach_WebLock", $con);

  $query = "SELECT Key, Status FROM Validation WHERE Key='".mysql_real_escape_string($serial)."'";
  $result = mysql_query($query);
  if(mysql_num_rows($result) > 0) {
    echo "Valid";
  } else {
    echo "Invalid";
  }
} else {
  echo "Unkown Method";
}
?>

Here Is The Error From PHP

PHP Warning:  mysql_num_rows() expects parameter 1 to be resource, boolean given
A: 

Try Like This
$query = "SELECT Key, Status FROM Validation WHERE Key='".$serial."'";

vinothkumar  2010-10-19 04:50:47
This doesn't make any difference. If you use double quotes variables in strings are substituted with their value.
captaintokyo  2010-10-19 04:52:51
Thanks, now it returns something. But, no matter what key I POST, it returns invalid. The temp key is _2772_.
Zachary Brown  2010-10-19 04:55:08
A: 

What happens if at the last line you add this?

else echo 'Unknown method';

What may be happening is that $_POST and $_GET are not getting populated, this is a setting in php.ini, if I remember correctly (search for "superglobals" in the php docs).

edit: also, you have a very bad security risk there, google "sql injection". Basically the problem is that you could get any SQL directly into your database, and if the php user has enough permissions it could mean that anyone can, for example, delete all the data from your Validation table. You should at least do something like this:

$query = "SELECT Key, Status FROM Validation WHERE Key='".addslashes($serial)."'";
cambraca  2010-10-19 04:54:37
It still return _Invalid_.
Zachary Brown  2010-10-19 04:57:47
Use mysql_real_escape_string() instead of addslashes()
mellowsoon  2010-10-19 04:58:26
@mellowsoon, thanks! I totally forgot about SQL Injection.
Zachary Brown  2010-10-19 05:00:25
+1  A: 

You're missing a closing parenthesis on this line:

if(mysql_num_rows($result) > 0 {

Is that missing in your code or just your question?

You may also want to add

if (!$result) {
    print mysql_error();
}

after your query

bemace  2010-10-19 04:55:24
Sorry, corrected it.
Zachary Brown  2010-10-19 04:55:42
Yes, well spotted!
captaintokyo  2010-10-19 04:56:34
@Zach, does this mean it works now?
captaintokyo  2010-10-19 04:56:58
No, now it just returns _Invalid_, no matter what I POST.
Zachary Brown  2010-10-19 04:59:01
Does it make a difference if you pass `$con` to mysql_query?
bemace  2010-10-19 05:01:06
@bemace, it still returns _Invalid_.
Zachary Brown  2010-10-19 05:03:39
Did you try adding the `if (!$result)` check too?
bemace  2010-10-19 05:06:53
@bemace, yes.. it still returned _Invalid_. I looked through the server logs and found the error from PHP. I appended it to my original post.
Zachary Brown  2010-10-19 05:09:03
A: 

It could be a typo but you are missing a closing parenthesis here:

if(mysql_num_rows($result) > 0 {
                              ^

And you might have turned off you error reporting, in which case you get a blank page.

codaddict  2010-10-19 04:56:31
A: 

Try echoing $serial:

echo $serial;

And is it what you typed in form?

Winis  2010-10-19 05:18:12
Yes, it returns the correct key.
Zachary Brown  2010-10-19 05:18:59
Ok, but are you sure you chose the right database with a validation table? I know this is a stupid question, but that kind of things happen sometimes.
Winis  2010-10-19 05:27:46
try echoing the mysql_real_escape_string($serial) value instead. Is it still the same?
mwotton  2010-10-19 05:28:32
+3  A: 

Right after the query use mysql_error() to see what happened. And Key is a bad choice for a column name because it's a reserved word in SQL. You can enclose it in `` to tell MySQL it's an identifier. Do some more debugging like this:

...
if (!mysql_select_db("zach_WebLock", $con)) die('mysql_select_db failed');

$query = "SELECT `Key`, Status FROM Validation WHERE `Key`='".mysql_real_escape_string($serial)."'";
print "query=$query<br>\n";
$result = mysql_query($query, $con);
print "error=" . mysql_error($con);
...
gregjor  2010-10-19 05:26:26
+1 for you! That is what the problem was! Thanks!
Zachary Brown  2010-10-19 05:29:04
The Key column name? I hate when that happens. I took over a database recently that has a column named `date` in several tables.
gregjor  2010-10-19 05:32:43
To be fair, some other people below told you to do the same thing 30 minutes ago ;)
mellowsoon  2010-10-19 05:33:05

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL