0

Hi i am too new too php and mysql and i want to count the member number due to the search made by user. However, mysql_num_rows doesnt work. 

mysql_num_rows(mysql_query("SELECT * FROM members WHERE $title LIKE '%$_POST[search]%' LIMIT $start,$member_number"));

It says "mysql_num_rows(): supplied argument is not a valid MySQL result resource in ..."

NOTE: $title is a select menu which user choose where to search. LIMIT is, as you know :), number of member which is shown in a page.

And also $start= ($page-1)*$member_number; in order to set the first entry in that page. I think the problem is here but i cant solve it. :(

MByD
  • 129,681
  • 25
  • 254
  • 263
echophp
  • 33
  • 1
  • 1
  • 6

3 Answers3

4

Your query probably has an error, in which case mysql_query will return false.

For this reason, you should not group commands like this. Do it like this:

$result = mysql_query("...");

if (!$result)
 { echo mysql_error(); die(); } // or some other error handling method
                                // like, a generic error message on a public site

$count = mysql_num_rows($result);

Also, you have a number of SQL injection vulnerabilities in your code. You need to sanitize the incoming $search variable:

$search = mysql_real_escape_string($_POST["search"]);

... mysql_query(".... WHERE $title LIKE '%$search%'");

if $start and $end come from outside, you also need to sanitize those before using them in your LIMIT clause. You can't use mysql_real_escape_string() here, because they are numeric values. Use intval() to make sure they contain only numbers.

Using a dynamic column name is also difficult from a sanitation point of view: You won't be able to apply mysql_real_escape_string() here, either. You should ideally compare against a list of allowed column names to prevent injection.

Community
  • 1
  • 1
Pekka
  • 418,526
  • 129
  • 929
  • 1,058
  • 1
    please avoid mysql_real_escape_string() .use mysql prepared statements. – shashuec Apr 03 '11 at 12:36
  • you can miss escaping a variable.But if you follow prepared statements you are assure that it won't happen.Good Design.. – shashuec Apr 03 '11 at 13:08
  • check this: http://stackoverflow.com/questions/732561/why-is-using-a-mysql-prepared-statement-more-secure-than-using-the-common-escape – shashuec Apr 03 '11 at 13:09
  • 2
    @Shashwhat while there are many advantages to PDO or mysqli, there is nothing essentially wrong with the mysql_ family of functions. Also, note that prepared statements will *not* help with a dynamic table name. – Pekka Apr 03 '11 at 13:09
  • I agree with you.dynamic table names can't be use with prepared statements – shashuec Apr 03 '11 at 13:23
2

you have to use GET method in your form, not POST.

mysql_num_rows doesn't make sense here.
If you're using limit, you already know the number*.
If you want to know number, you shouldn't use limit nor request rows but select number itself.

// get your $title safe
$fields = array("name","lastname");
$key = array_search($_GET['title'],$fields));
$title = $fields[$key];

//escape your $search
$search = mysql_real_escape_string($_GET['search']);

$sql = "SELECT count(*) FROM members WHERE $title LIKE '%$search%'";
$res = mysql_query($query) or trigger_error(mysql_error()." in ".$sql); 
$row = mysql_fetch_row($res);

$members_found = $row[0]

in case you need just 5 records to show on the page, no need for mysql_num_rows() again:

// Get LIMIT params
$member_number = 5;
$start = 0;
if (isset($_GET['page'])){
  $start = abs($_GET['page']-1)*$member_number;
}
// get your $title safe
$fields = array("name","lastname");
$key = array_search($_GET['title'],$fields));
$title = $fields[$key];

//escape your $search
$search = mysql_real_escape_string($_GET['search']);

$sql = "SELECT count(*) FROM members 
          WHERE `$title` LIKE '%$search%' 
          LIMIT $start, $member_number";
$res = mysql_query($query) or trigger_error(mysql_error()." in ".$sql);
while($row = mysql_fetch_assoc($res){
  $data[] = $row;
}

Now you have selected rows in $data for the further use.

Your Common Sense
  • 152,517
  • 33
  • 193
  • 313
  • This seems correct (and safe!) to me. Anyone care to explain the downvotes? – Arjan Apr 03 '11 at 14:13
  • they can't downvote comments, but they don't like the truth. so, only answer votes they have :) – Your Common Sense Apr 03 '11 at 14:16
  • no, it's probably because you've become a bit of a target. see: http://meta.stackexchange.com/questions/85797/can-i-dispute-a-downvote – Todd Main Apr 03 '11 at 18:11
  • @Arjan thank you for your support, man. I know I did behave not so smart in this situation, but you was only one who judged fairly and who supported me on meta. I heartily thank you. – Your Common Sense Apr 03 '11 at 21:50
  • And only now I see that you got rid of the horizontal scrollbars! :-) Well, peace, please! – Arjan Apr 04 '11 at 07:38
1

This kind of error generally indicates there is an error in your SQL query -- so it has not been successful, and mysql_query() doesn't return a valid resource ; which, so, cannot be used as a parameter to mysql_num_rows().

You should echo your SQL query, in order to check if it's build OK.

And/or, if mysql_query() returns false, you could use mysql_error() to get the error message : it'll help you debug your query ;-)


Typically, your code would look a bit like this :

$query = "select ...";  // note : don't forget about escaping your data

$result = mysql_query($query);
if (!$result) {
    trigger_error(mysql_error()." in ".$query); 
} else {
    // use the resultset
}
Your Common Sense
  • 152,517
  • 33
  • 193
  • 313
Pascal MARTIN
  • 374,560
  • 73
  • 631
  • 650
  • thank for answering i did what you said and now it says "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'LIKE '%%' LIMIT ,' at line 1" – echophp Apr 03 '11 at 12:03
  • Well, it seems you have an error in your SQL query ;-) Looks like your don't have the `$_POST` data you expected ? Same for `$start` and `$member_number`, btw ;; are you sure your form POSTs to this page ? Maybe it's using GET, in which case you'd have to look in `$_GET` instead of `$_POST` ? – Pascal MARTIN Apr 03 '11 at 12:06
  • actually the $mumber_number is 5 and i have a text field which is named search but the error appears when i first open the page in browser so i dont write anything in search box. If i write, nothing changes too. And $start= ($page-1)*$member_number; i use it with $_GET. – echophp Apr 03 '11 at 12:14
  • You shouldn't execute that query when no data has been submitted, then. – Pascal MARTIN Apr 03 '11 at 12:18
  • Comments never being executed. You have to code desired behavior, not comment it. – Your Common Sense Apr 03 '11 at 12:21
  • That's what I do in my own code, obviously *(except I'd use PDO, and exceptions)*... – Pascal MARTIN Apr 03 '11 at 12:25
  • @pascal how shouldnt i execute that when no data has been submitted? – echophp Apr 03 '11 at 12:27