RON_ron Posted December 1, 2010 Share Posted December 1, 2010 This code gives an error. Please help fix. $mydb = mysql_connect("localhost","my_un","my_pw"); mysql_select_db("my_db"); $query =sprintf("SELECT * FROM idb1 WHERE username = '%s' AND authority = 'Banned'", mysql_real_escape_string($userNm)); if(mysql_num_rows($query)) { $login = "&err=Not allowed."; echo($login); } else { $result=sprintf("SELECT * FROM idb1 WHERE username = '%s' AND password ='%s'", mysql_real_escape_string($userNm), mysql_real_escape_string($passWd)); if(mysql_num_rows ($result) == 0) { $login = "&err=Retry!!"; echo($login); } else { $row = mysql_fetch_array($result); $userNm=$row['username']; $passWd=$row['password']; $login = "$userNm=" . $userNm . "$passWd=" . $passWd . "&err=Successful."; echo($login); } } Link to comment https://forums.phpfreaks.com/topic/220330-help-mysql_real_escape_string/ Share on other sites More sharing options...
trq Posted December 1, 2010 Share Posted December 1, 2010 This code gives an error. Cool. What is it? Link to comment https://forums.phpfreaks.com/topic/220330-help-mysql_real_escape_string/#findComment-1141732 Share on other sites More sharing options...
trq Posted December 1, 2010 Share Posted December 1, 2010 Actually, don't bother. Here.... $result=sprintf("SELECT * FROM idb1 WHERE username = '%s' AND password ='%s'", mysql_real_escape_string($userNm), mysql_real_escape_string($passWd)); if(mysql_num_rows ($result) == 0) { $result is a string. You never actually execute the query. Link to comment https://forums.phpfreaks.com/topic/220330-help-mysql_real_escape_string/#findComment-1141734 Share on other sites More sharing options...
RON_ron Posted December 1, 2010 Author Share Posted December 1, 2010 Thanks Thorpe! Oops! I forgot to show the error... Here goes. Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/.../test.php on line 12 &err=Retry. if(mysql_num_rows ($result) == 0) { After I included "mysql_real_escape_string", it doesn't allow me to login (even with legitimate usernames and passwords). Have I done something wrong? or What might be the issue here? Link to comment https://forums.phpfreaks.com/topic/220330-help-mysql_real_escape_string/#findComment-1141737 Share on other sites More sharing options...
trq Posted December 1, 2010 Share Posted December 1, 2010 Read my last reply. Link to comment https://forums.phpfreaks.com/topic/220330-help-mysql_real_escape_string/#findComment-1141739 Share on other sites More sharing options...
RON_ron Posted December 1, 2010 Author Share Posted December 1, 2010 oh! Ok. I'm not entirely sure If i understood. You mean the "mysql_real_escape_string" shouldn't be applied here? $result=sprintf("SELECT * FROM idb1 WHERE username = '%s' AND password ='%s'", mysql_real_escape_string($userNm), mysql_real_escape_string($passWd)); if(mysql_num_rows ($result) == 0) { $$result=sprintf("SELECT * FROM idb1 WHERE username = '$userNM' AND password ='$passWd'"); if(mysql_num_rows ($result) == 0) { Link to comment https://forums.phpfreaks.com/topic/220330-help-mysql_real_escape_string/#findComment-1141740 Share on other sites More sharing options...
sniperscope Posted December 1, 2010 Share Posted December 1, 2010 Why dont you get a variable out of mysql query and then put that variable into query? $variable = mysql_real_escape_string($userNm); $query =sprintf("SELECT * FROM idb1 WHERE username = '%s' AND authority = 'Banned'", $variable); Link to comment https://forums.phpfreaks.com/topic/220330-help-mysql_real_escape_string/#findComment-1141744 Share on other sites More sharing options...
RON_ron Posted December 1, 2010 Author Share Posted December 1, 2010 Thanks sniperscope. Is that effective? This is my first attempt in using "mysql_real_escape_string". So I'm not sure what's perfect. Link to comment https://forums.phpfreaks.com/topic/220330-help-mysql_real_escape_string/#findComment-1141746 Share on other sites More sharing options...
sniperscope Posted December 1, 2010 Share Posted December 1, 2010 Okay so far i saw is you are directly using a variable without assigned. $variable = mysql_real_escape_string($_POST['YOUR_FORM_USER_NAME_TEXT']); You are assigning value of User name which comes from your post into a variable. So, when your code keep running on next line you will have user entered plain text, stripped out any dangerous code inside. Then put this plain text into your sql query. $query =sprintf("SELECT * FROM idb1 WHERE username = '%s' AND authority = 'Banned'", $variable); But, i can not see your whole page code and this all i do my best. Let us know if you have any further problem. Link to comment https://forums.phpfreaks.com/topic/220330-help-mysql_real_escape_string/#findComment-1141748 Share on other sites More sharing options...
trq Posted December 1, 2010 Share Posted December 1, 2010 You need to execute the query ($query) via mysql_query. Link to comment https://forums.phpfreaks.com/topic/220330-help-mysql_real_escape_string/#findComment-1141749 Share on other sites More sharing options...
RON_ron Posted December 1, 2010 Author Share Posted December 1, 2010 Works a charm! Thanks thorpe!! Link to comment https://forums.phpfreaks.com/topic/220330-help-mysql_real_escape_string/#findComment-1141751 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.