database connection issues

Question

I am trying to link my website to my database for the results but it shows these errors:

Warning: mysql_select_db() expects parameter 1 to be string, resource given in C:\wamp\www\SearchEngine\connect.php on line 9

and

Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\wamp\www\SearchEngine\search.php on line 44

These are the codes for those 2 files:

connect.php:

<?php

$con = mysql_connect("localhost", "root", "");
if (!$con)
{
    echo "Cannot connect to database";
    die();
}
mysql_select_db($con,"SearchEngine");

?>

search.php:

<?php
//php code goes here
include 'connect.php'; // for database connection
$query = $_GET['q'] // query
?>
<html>
    <head>
        <title>
            Brandon's Search Engine
        </title>
        <style type="text/css">
            #search-result {
                font-size: 22;
                margin: 5px;
                padding: 2px;
            }
            #search-result:hover {
                border-color: red;
            }
        </style>
    </head>
    <body>
        <form method="GET" action="search.php">
            <table>
                <tr>
                    <td>
                        <h2>
                            Brandon's Search Engine
                        </h2>
                    </td>
                </tr>
                <tr>
                    <td>
                        <input type="text" value="<?php echo $_GET['q']; ?>" name="q" size="80" name="q"/>
                        <input type="submit" value="Search" />
                    </td>
                </tr>
                <tr>
                    <td>
                        <?php
                        //SQL query
                        $stmt = "SELECT * FROM web WHERE title LIKE '%$query%' OR link LIKE '%$query%'";
                        $result = mysql_query($stmt);
                        $number_of_result = mysql_num_rows($result);
                        if($number_of_result < 1)
                            echo "Your search did not match any documents. Please try different keywords.";
                        else
                        {
                                //results found here and display them
                                while($row = mysql_fetch_assoc($result))
                                {
                                    $title = $row["title"];
                                    $link = $row["link"];
                                    echo "<div id='search-result'>";
                                    echo "<div id='title'" . $title . "</div>";
                                    echo "<br />";
                                    echo "<div id='link'" . $link . "</div>";
                                    echo "</div>";
                                }
                        }
                        ?>
                    </td>
                </tr>
            </table>
        </form>
    </body>
</html>

If possible, please explain to me.

**Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. Since you echo data from the query string directly into the page you are also vulnerable to [XSS attacks](http://en.wikipedia.org/wiki/Cross-site_scripting). — Quentin, Nov 25 '13 at 14:08

Chris Wheeler · Answer 1 · 2013-11-25T14:48:24.327

2

You have the parameters the wrong way around, it should be

mysql_select_db("SearchEngine",$con);

Your script is also insecure, you should do the following:

Use mysqli_* methods instead of mysql_* if available, e.g:

$con = mysqli_connect("localhost", "root", ""); mysqli_select_db($con,"SearchEngine");

etc.

Escape the query parameter before using it in any Query to prevent SQL Injection, e.g:

Replace

$stmt = "SELECT * FROM web WHERE title LIKE '%$query%' OR link LIKE '%$query%'";

with

$stmt = "SELECT * FROM web WHERE title LIKE '%" . mysqli_real_escape_string($con, $query) . "%' OR link LIKE '%" . mysqli_real_escape_string($con, $query) . "%'";

Escape user generated content in HTML to prevent Cross Site Scripting (XSS), e.g:

Replace

<input type="text" value="<?php echo $_GET['q']; ?>" name="q" size="80" name="q"/>

with

<input type="text" value="<?php echo htmlspecialchars($_GET['q']); ?>" name="q" size="80" name="q"/>

edited Nov 25 '13 at 14:48

answered Nov 25 '13 at 14:08

Chris Wheeler

1,513
1
10
17

Where do I need to insert the second and third code you gave me? And what's the meaning for those two codes? – JasonCDenson Nov 25 '13 at 14:25
I've updated my answer to show what needs to be replaced - hope this helps. – Chris Wheeler Nov 25 '13 at 14:30
There is an error when I replace the second code: Parse error: syntax error, unexpected '' OR link LIKE '' (T_CONSTANT_ENCAPSED_STRING) in C:\wamp\www\SearchEngine\search.php on line 42 – JasonCDenson Nov 25 '13 at 14:33
Sorry, my fault.. fixed! – Chris Wheeler Nov 25 '13 at 14:37
I got even more errors: Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in C:\wamp\www\SearchEngine\search.php on line 42 Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\wamp\www\SearchEngine\search.php on line 44 – JasonCDenson Nov 25 '13 at 14:43
Please see edits. You also need to be using mysql*i*_ functions everywhere in your script - you can't mix and max mysql_ and mysqli_ If you need to look up the order of parameters for any functions you can use the php manual - php.net/manual/en/book.mysqli.php – Chris Wheeler Nov 25 '13 at 14:51
Do I just have to key in an "i" behind every "mysql"? – JasonCDenson Nov 25 '13 at 14:55
Essentially, yes - and check the parameter order. mysqli_ functions seem to take the connection object first, whereas mysql_ functions take it as the last parameter. You might also want to look into using the Object Oriented version of mysqli, and then using prepared statements. – Chris Wheeler Nov 25 '13 at 14:59
I received these errors after putting an "i" behind every "mysql" for those two files: `Warning: mysqli_select_db() expects parameter 1 to be mysqli, string given in C:\wamp\www\SearchEngine\connect.php on line 9` `Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in C:\wamp\www\SearchEngine\search.php on line 42` `Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in C:\wamp\www\SearchEngine\search.php on line 42` `Warning: mysqli_query() expects at least 2 parameters, 1 given in C:\wamp\www\SearchEngine\search.php on line 43` – JasonCDenson Nov 25 '13 at 15:04
`Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, null given in C:\wamp\www\SearchEngine\search.php on line 44` – JasonCDenson Nov 25 '13 at 15:04
use: `mysqli_select_db($con,"SearchEngine")` `mysqli_real_escape_string($con,$query)` `mysqli_query($con,$stmt)` the mysql_num_rows() error should go away once the other items are fixed, but really you should be checking for and handling errors – Chris Wheeler Nov 25 '13 at 15:10
`Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in C:\wamp\www\SearchEngine\search.php on line 42` – JasonCDenson Nov 25 '13 at 15:22
`Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in C:\wamp\www\SearchEngine\search.php on line 42` – JasonCDenson Nov 25 '13 at 15:23
I can't word that error much more succinctly than PHP has. On line 42 of your code, the mysqli_real_escape_string function is expecting to receive two parameters, however your have only provide it with one. As per earlier comments and my (edited) answer - any reference to mysqli_real_escape_string() should look like `mysqli_real_escape_string($con,$query)` – Chris Wheeler Nov 25 '13 at 15:32
Sorry, I am really a newbie in this. There is one more error: `Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\wamp\www\SearchEngine\search.php on line 44` – JasonCDenson Nov 25 '13 at 15:37
You need to use mysqli_num_rows instead of mysql_num_rows – Chris Wheeler Nov 25 '13 at 15:46
Really sorry, I still have an error: `Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, boolean given in C:\wamp\www\SearchEngine\search.php on line 44`. But thanks for your guidance and I learnt a lot. – JasonCDenson Nov 25 '13 at 15:51
Ok, in that case $result is probably "false" as there may have been an error with the query. Replace `$result = mysqli_query($con,$stmt);` with `$result = mysql_query($con,$stmt) or die(mysqli_error($con));` this is a very crude way to debug the sql query – Chris Wheeler Nov 25 '13 at 15:58
Error still occurs: `Warning: mysql_query() expects parameter 1 to be string, object given in C:\wamp\www\SearchEngine\search.php on line 43` – JasonCDenson Nov 25 '13 at 16:03
Yes, I have solved it: `$result = mysqli_query($con,$stmt) or die(mysqli_error($con));`. Insert an "i" for the first "mysql". – JasonCDenson Nov 25 '13 at 16:05
Sorry, I'm confusing my self now.. it should be `$result = mysqli_query($con,$stmt) or die(mysqli_error($con));` (Note: mysqli_query not mysql_query as per my earlier comment) – Chris Wheeler Nov 25 '13 at 16:06
But after changing that, I received another error: `Table 'searchengine.web' doesn't exist` – JasonCDenson Nov 25 '13 at 16:06
It sounds like you don't have a table called 'web' in your database :) – Chris Wheeler Nov 25 '13 at 16:08
I have a table called 'searchengine'. And I thought it should be linking to this table? – JasonCDenson Nov 25 '13 at 16:10
you have a database called 'searchengine' - If your table is also called 'searchengine' you need to change the part of your query which says `SELECT * FROM web WHERE` to `SELECT * FROM searchengine WHERE`. If you need help with creating tables or understanding databases, tables and how mysql works you should be able to find plenty of documentation online, or if you are still having problems post a new question with specifics. – Chris Wheeler Nov 25 '13 at 16:17
Thanks a lot. You have help me a lot. You are really a friendly expert. Thank you. – JasonCDenson Nov 25 '13 at 16:21

score 2 · Answer 2 · answered Nov 25 '13 at 14:10

Syntax for mysql database selection,

bool mysql_select_db ( string $database_name [, resource $link_identifier = NULL ] )

Try use ,

mysql_select_db("SearchEngine",$con);

instead of

mysql_select_db($con,"SearchEngine");

Ref: http://us2.php.net/mysql_select_db

Note: Try to use mysqli_* functions or PDO instead of mysql_* functions(deprecated)

score 1 · Answer 3 · answered Nov 25 '13 at 14:08

That error tells you the first parameter should be a string. If you check the docs, you'll see the database name comes first, then the connection resource.

So do this:

mysql_select_db("SearchEngine",$con);

Also: don't use mysql* functions at all! Switch to mysqli or even better PDO for your database interaction.

score 1 · Answer 4 · edited Feb 10 '19 at 13:07

1

I can see your error and its supposed to be like this

mysql_select_db("SearchEngine",$con);

edited Feb 10 '19 at 13:07

Zoe

23,712
16
99
132

answered Nov 25 '13 at 14:21

score 0 · Answer 5 · edited Feb 10 '19 at 13:07

0

First Parameter must be database name

mysql_select_db("SearchEngine",$con);

¨

edited Feb 10 '19 at 13:07

Zoe

23,712
16
99
132

answered Nov 25 '13 at 14:16

user7789076

738
11
25

database connection issues

5 Answers5