dongyi8383 2013-02-10 00:33
浏览 113
已采纳

警告:mysql_num_rows():提供的参数不是有效的MySQL结果资源 - 无法找到修复

I had this issue fixed but as I was trying to fix SQL vulnerabilities I created an error and started back from scratch, I'm stuck again at this issue and have absolutely no clue what to do. Please help.

<? 
ob_start();
include 'easygpt_config.php';
ob_end_clean();
if(isset($_POST['login'])){
$username= trim($_POST['username']);
$password = trim($_POST['password']);
if($username == NULL OR $password == NULL){
$final_report.="Please complete both fields";
$check_user_data = mysql_query("SELECT * FROM `members` WHERE `username` = '$username'") or die(mysql_error());
}else{
if(mysql_num_rows($check_user_data) == 0){ 
$final_report.="This username does not exist";
}else{
$get_user_data = mysql_fetch_array($check_user_data) or die("A MySQL error has occurred.<br />Your Query: " . $your_query . "<br /> Error: (" . mysql_errno() . ") " . mysql_error());
if($get_user_data['password'] == $password){
$start_idsess = $_SESSION['username'] = "".$get_user_data['username']."";
$start_passsess = $_SESSION['password'] = "".$get_user_data['password']."";
$final_report.="<meta http-equiv='Refresh' content='0; URL=http://www.google.com>";
}}}}

if(isset($_SESSION['username']) && isset($_SESSION['password'])){ 
    }

?>

The line that is being listed as causing the error is line 12 which consist of:

if(mysql_num_rows($check_user_data) == 0){
  • 写回答

1条回答 默认 最新

  • douhuo0884 2013-02-10 00:44
    关注

    With just some standard indentation it becomes very clear what's going on, as Explosion Pills already pointed out:

    <?
ob_start();
include 'easygpt_config.php';
ob_end_clean();
if (isset($_POST['login'])) {
    $username = trim($_POST['username']);
    $password = trim($_POST['password']);
    if ($username == NULL OR $password == NULL) {
        $final_report .= "Please complete both fields";
        $check_user_data = mysql_query("SELECT * FROM `members` WHERE `username` = '$username'") or die(mysql_error());
    } else {
        if (mysql_num_rows($check_user_data) == 0) {
            $final_report .= "This username does not exist";
        } else {
            $get_user_data = mysql_fetch_array($check_user_data) or die("A MySQL error has occurred.<br />Your Query: " . $your_query . "<br /> Error: (" . mysql_errno() . ") " . mysql_error());
            if ($get_user_data['password'] == $password) {
                $start_idsess   = $_SESSION['username'] = "" . $get_user_data['username'] . "";
                $start_passsess = $_SESSION['password'] = "" . $get_user_data['password'] . "";
                $final_report .= "<meta http-equiv='Refresh' content='0; URL=http://www.google.com>";
            }
        }
    }
}
if (isset($_SESSION['username']) && isset($_SESSION['password'])) {
}
?>

    You're executing the query (and thus setting $check_user_data) in the if block, and testing it in the else block.

    Want to avoid this kind of mess in the future? Indent your code manually or get one of the bazillion code editors that can handle that chore for you. Or use one of the many online prettyprinting services (like [beta.phpformatter.com])(http://beta.phpformatter.com/).

    And last but not least, stop using the deprecated mysql_ functions. Deprecated, among other things means you should not use them in new code.

    I'd also suggest to forget about the more modern mysqli_ successor and skip right away to PDO - it's a modern, well designed API, usable with several database engines and last but not least, it makes working with prepared statements a breeze, and prepared statements are probably the least expensive yet most effective defense against sql injection.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 matlab有关常微分方程的问题求解决
  • ¥15 perl MISA分析p3_in脚本出错
  • ¥15 k8s部署jupyterlab,jupyterlab保存不了文件
  • ¥15 ubuntu虚拟机打包apk错误
  • ¥199 rust编程架构设计的方案 有偿
  • ¥15 回答4f系统的像差计算
  • ¥15 java如何提取出pdf里的文字?
  • ¥100 求三轴之间相互配合画圆以及直线的算法
  • ¥100 c语言,请帮蒟蒻写一个题的范例作参考
  • ¥15 名为“Product”的列已属于此 DataTable