RON_ron Posted December 1, 2010 Share Posted December 1, 2010 This code gives an error. Please help fix. $mydb = mysql_connect("localhost","my_un","my_pw"); mysql_select_db("my_db"); $query =sprintf("SELECT * FROM idb1 WHERE username = '%s' AND authority = 'Banned'", mysql_real_escape_string($userNm)); if(mysql_num_rows($query)) { $login = "&err=Not allowed."; echo($login); } else { $result=sprintf("SELECT * FROM idb1 WHERE username = '%s' AND password ='%s'", mysql_real_escape_string($userNm), mysql_real_escape_string($passWd)); if(mysql_num_rows ($result) == 0) { $login = "&err=Retry!!"; echo($login); } else { $row = mysql_fetch_array($result); $userNm=$row['username']; $passWd=$row['password']; $login = "$userNm=" . $userNm . "$passWd=" . $passWd . "&err=Successful."; echo($login); } } Quote Link to comment https://forums.phpfreaks.com/topic/220330-help-mysql_real_escape_string/ Share on other sites More sharing options...
trq Posted December 1, 2010 Share Posted December 1, 2010 This code gives an error. Cool. What is it? Quote Link to comment https://forums.phpfreaks.com/topic/220330-help-mysql_real_escape_string/#findComment-1141732 Share on other sites More sharing options...
trq Posted December 1, 2010 Share Posted December 1, 2010 Actually, don't bother. Here.... $result=sprintf("SELECT * FROM idb1 WHERE username = '%s' AND password ='%s'", mysql_real_escape_string($userNm), mysql_real_escape_string($passWd)); if(mysql_num_rows ($result) == 0) { $result is a string. You never actually execute the query. Quote Link to comment https://forums.phpfreaks.com/topic/220330-help-mysql_real_escape_string/#findComment-1141734 Share on other sites More sharing options...
RON_ron Posted December 1, 2010 Author Share Posted December 1, 2010 Thanks Thorpe! Oops! I forgot to show the error... Here goes. Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/.../test.php on line 12 &err=Retry. if(mysql_num_rows ($result) == 0) { After I included "mysql_real_escape_string", it doesn't allow me to login (even with legitimate usernames and passwords). Have I done something wrong? or What might be the issue here? Quote Link to comment https://forums.phpfreaks.com/topic/220330-help-mysql_real_escape_string/#findComment-1141737 Share on other sites More sharing options...
trq Posted December 1, 2010 Share Posted December 1, 2010 Read my last reply. Quote Link to comment https://forums.phpfreaks.com/topic/220330-help-mysql_real_escape_string/#findComment-1141739 Share on other sites More sharing options...
RON_ron Posted December 1, 2010 Author Share Posted December 1, 2010 oh! Ok. I'm not entirely sure If i understood. You mean the "mysql_real_escape_string" shouldn't be applied here? $result=sprintf("SELECT * FROM idb1 WHERE username = '%s' AND password ='%s'", mysql_real_escape_string($userNm), mysql_real_escape_string($passWd)); if(mysql_num_rows ($result) == 0) { $$result=sprintf("SELECT * FROM idb1 WHERE username = '$userNM' AND password ='$passWd'"); if(mysql_num_rows ($result) == 0) { Quote Link to comment https://forums.phpfreaks.com/topic/220330-help-mysql_real_escape_string/#findComment-1141740 Share on other sites More sharing options...
sniperscope Posted December 1, 2010 Share Posted December 1, 2010 Why dont you get a variable out of mysql query and then put that variable into query? $variable = mysql_real_escape_string($userNm); $query =sprintf("SELECT * FROM idb1 WHERE username = '%s' AND authority = 'Banned'", $variable); Quote Link to comment https://forums.phpfreaks.com/topic/220330-help-mysql_real_escape_string/#findComment-1141744 Share on other sites More sharing options...
RON_ron Posted December 1, 2010 Author Share Posted December 1, 2010 Thanks sniperscope. Is that effective? This is my first attempt in using "mysql_real_escape_string". So I'm not sure what's perfect. Quote Link to comment https://forums.phpfreaks.com/topic/220330-help-mysql_real_escape_string/#findComment-1141746 Share on other sites More sharing options...
sniperscope Posted December 1, 2010 Share Posted December 1, 2010 Okay so far i saw is you are directly using a variable without assigned. $variable = mysql_real_escape_string($_POST['YOUR_FORM_USER_NAME_TEXT']); You are assigning value of User name which comes from your post into a variable. So, when your code keep running on next line you will have user entered plain text, stripped out any dangerous code inside. Then put this plain text into your sql query. $query =sprintf("SELECT * FROM idb1 WHERE username = '%s' AND authority = 'Banned'", $variable); But, i can not see your whole page code and this all i do my best. Let us know if you have any further problem. Quote Link to comment https://forums.phpfreaks.com/topic/220330-help-mysql_real_escape_string/#findComment-1141748 Share on other sites More sharing options...
trq Posted December 1, 2010 Share Posted December 1, 2010 You need to execute the query ($query) via mysql_query. Quote Link to comment https://forums.phpfreaks.com/topic/220330-help-mysql_real_escape_string/#findComment-1141749 Share on other sites More sharing options...
RON_ron Posted December 1, 2010 Author Share Posted December 1, 2010 Works a charm! Thanks thorpe!! Quote Link to comment https://forums.phpfreaks.com/topic/220330-help-mysql_real_escape_string/#findComment-1141751 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.