dongyi8383 2013-02-10 00:33
浏览 113
已采纳

警告:mysql_num_rows():提供的参数不是有效的MySQL结果资源 - 无法找到修复

I had this issue fixed but as I was trying to fix SQL vulnerabilities I created an error and started back from scratch, I'm stuck again at this issue and have absolutely no clue what to do. Please help.

<? 
ob_start();
include 'easygpt_config.php';
ob_end_clean();
if(isset($_POST['login'])){
$username= trim($_POST['username']);
$password = trim($_POST['password']);
if($username == NULL OR $password == NULL){
$final_report.="Please complete both fields";
$check_user_data = mysql_query("SELECT * FROM `members` WHERE `username` = '$username'") or die(mysql_error());
}else{
if(mysql_num_rows($check_user_data) == 0){ 
$final_report.="This username does not exist";
}else{
$get_user_data = mysql_fetch_array($check_user_data) or die("A MySQL error has occurred.<br />Your Query: " . $your_query . "<br /> Error: (" . mysql_errno() . ") " . mysql_error());
if($get_user_data['password'] == $password){
$start_idsess = $_SESSION['username'] = "".$get_user_data['username']."";
$start_passsess = $_SESSION['password'] = "".$get_user_data['password']."";
$final_report.="<meta http-equiv='Refresh' content='0; URL=http://www.google.com>";
}}}}

if(isset($_SESSION['username']) && isset($_SESSION['password'])){ 
    }

?>

The line that is being listed as causing the error is line 12 which consist of:

if(mysql_num_rows($check_user_data) == 0){
  • 写回答

1条回答 默认 最新

  • douhuo0884 2013-02-10 00:44
    关注

    With just some standard indentation it becomes very clear what's going on, as Explosion Pills already pointed out:

    <?
ob_start();
include 'easygpt_config.php';
ob_end_clean();
if (isset($_POST['login'])) {
    $username = trim($_POST['username']);
    $password = trim($_POST['password']);
    if ($username == NULL OR $password == NULL) {
        $final_report .= "Please complete both fields";
        $check_user_data = mysql_query("SELECT * FROM `members` WHERE `username` = '$username'") or die(mysql_error());
    } else {
        if (mysql_num_rows($check_user_data) == 0) {
            $final_report .= "This username does not exist";
        } else {
            $get_user_data = mysql_fetch_array($check_user_data) or die("A MySQL error has occurred.<br />Your Query: " . $your_query . "<br /> Error: (" . mysql_errno() . ") " . mysql_error());
            if ($get_user_data['password'] == $password) {
                $start_idsess   = $_SESSION['username'] = "" . $get_user_data['username'] . "";
                $start_passsess = $_SESSION['password'] = "" . $get_user_data['password'] . "";
                $final_report .= "<meta http-equiv='Refresh' content='0; URL=http://www.google.com>";
            }
        }
    }
}
if (isset($_SESSION['username']) && isset($_SESSION['password'])) {
}
?>

    You're executing the query (and thus setting $check_user_data) in the if block, and testing it in the else block.

    Want to avoid this kind of mess in the future? Indent your code manually or get one of the bazillion code editors that can handle that chore for you. Or use one of the many online prettyprinting services (like [beta.phpformatter.com])(http://beta.phpformatter.com/).

    And last but not least, stop using the deprecated mysql_ functions. Deprecated, among other things means you should not use them in new code.

    I'd also suggest to forget about the more modern mysqli_ successor and skip right away to PDO - it's a modern, well designed API, usable with several database engines and last but not least, it makes working with prepared statements a breeze, and prepared statements are probably the least expensive yet most effective defense against sql injection.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 CST仿真别人的模型结果仿真结果S参数完全不对
  • ¥15 误删注册表文件致win10无法开启
  • ¥15 请问在阿里云服务器中怎么利用数据库制作网站
  • ¥60 ESP32怎么烧录自启动程序
  • ¥50 html2canvas超出滚动条不显示
  • ¥15 java业务性能问题求解(sql,业务设计相关)
  • ¥15 52810 尾椎c三个a 写蓝牙地址
  • ¥15 elmos524.33 eeprom的读写问题
  • ¥15 用ADS设计一款的射频功率放大器
  • ¥15 怎么求交点连线的理论解?