duanhao7786 2014-03-10 23:56
浏览 35
已采纳

警告:mysql_fetch_array()期望参数1是资源,布尔给定7 [重复]

I've been writing a php code for a search engine, and I thought my query is fine, but I'm stuck for hours instead because it says: Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in ..... on line 129,

Code:

if(isset($_POST['hanapin'])){

    $staff = "select e_id,e_fname,e_mi,e_lname,e_fin_cm,department,job
        from employees where ".$_POST['tableya']."
        like ".$_POST['whatever']."% order by e_lname"; //line 129

    $result = mysql_query($staff);  

    while($staff_rows = mysql_fetch_array($result)){

        echo "
        <tr>
        <td>".$staff_rows['e_id']."</td>
        <td>".htmlspecialchars_decode($staff_rows['e_lname'])."</td>
        <td>".htmlspecialchars_decode($staff_rows['e_fname'])."</td>
        <td>".htmlspecialchars_decode($staff_rows['e_mi'])."</td>
        <td>".htmlspecialchars_decode($staff_rows['e_fin_cm'])."</td>
        <td>".htmlspecialchars_decode($staff_rows['department'])."</td>
        <td>".htmlspecialchars_decode($staff_rows['job'])."</td>
        </tr>
    ";
    }

}

Help will be much appreciated.

</div>
  • 写回答

5条回答 默认 最新

  • doufenyu7610 2014-03-11 00:13
    关注

    Firstly, I've edited your post slightly to make the code more readable as the formatting was a bit off.

    Secondly, your SQL query is very prone to SQL injection attacks as you are directly using POST variables in the query without first sanitising them. You should always sanitise variables before using them in queries. If you're expecting an integer, I suggest you do it as follows:

    $var = (isset($_POST['var']) ? (int)$_POST['var'] : null);

    And strings as follows:

    $var = (isset($_POST['var']) ? mysql_real_escape_string($_POST['var']) : null);

    Thirdly, the mysql_*() functions have been deprecated and will be removed from a future version of PHP. It is currently recommended that you use the mysqli_*() functions or class, or even better the PDO library.

    And lastly, regarding your error, MySQL is returning an error number as your query is not valid. Your statement should read as follows:

    $staff = "SELECT `e_id`, `e_fname`, `e_mi`, `e_lname`,
                 `e_fin_cm`, `department`, `job`
          FROM `employees`
          WHERE {$fieldname} LIKE {$fieldvalue}
          ORDER BY `e_lname` ASC";

    This, in conjunction with the following checking on those fields, should work:

    $fieldname = (isset($_POST['tableya'])
                 && in_array($_POST['tableya'], array(
                     'e_id', 'e_fname', 'e_mi', 'e_lname',
                     'e_fin_cm', 'department', 'job'
                 )) ? mysql_real_escape_string($_POST['tableya']) : null);

$fieldvalue = (isset($_POST['whatever'])
                ? '\'' . mysql_real_escape_string($_POST['whatever']) . '%\''
                : null);

if ($fieldname && $fieldvalue) {
    $sql = "SELECT `e_id`, `e_fname`, `e_mi`, `e_lname`,
                   `e_fin_cm`, `department`, `job`
            FROM `employees`
            WHERE {$fieldname} LIKE {$fieldvalue}
            ORDER BY `e_lname` ASC";
    $result = mysql_query($sql);
    if ($result) {
        while ($row = mysql_fetch_assoc($result)) {
            // output data
        }
        mysql_free_result($result);
    } else {
        // Query was invalid
        print('MySQL error: [' . mysql_errno() . '] ' . mysql_error());
    }
} else {
   print('Invalid field name or value.');
}
    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(4条)

报告相同问题?

悬赏问题

  • ¥30 YOLO检测微调结果p为1
  • ¥20 求快手直播间榜单匿名采集ID用户名简单能学会的
  • ¥15 DS18B20内部ADC模数转换器
  • ¥15 做个有关计算的小程序
  • ¥15 MPI读取tif文件无法正常给各进程分配路径
  • ¥15 如何用MATLAB实现以下三个公式(有相互嵌套)
  • ¥30 关于#算法#的问题:运用EViews第九版本进行一系列计量经济学的时间数列数据回归分析预测问题 求各位帮我解答一下
  • ¥15 setInterval 页面闪烁,怎么解决
  • ¥15 如何让企业微信机器人实现消息汇总整合
  • ¥50 关于#ui#的问题:做yolov8的ui界面出现的问题