mysql_num_rows warning !

[Nuv]

I am getting the following warning with the code below.Can someone please point me why the warning ?

 

Warning

 

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/r.php on line 500

 

Code

 

  $sql = "SELECT * FROM funeral WHERE name='".$name."' AND phone='".$phone."'";
          $result = mysql_query($sql);
          if((mysql_num_rows($result)) == 0)
          {
            $insertsql = "INSERT INTO funeral (name, street, city, shrtstate, state, pincode, phone) VALUES ('".$name."', '".$street."', '".$city."', '".$shrtstate."', '".$state."', '".$pincode."', '".$phone."')";
            $insert = mysql_query($insertsql);
             
          } 

[PFMaBiSmAd]

If you search for that error message, you will find that it generally means that your query failed due to an error of some kind and you need to (always) have some error checking and error reporting logic in your code to get it to tell you why the query failed.

 

For troubleshooting purposes, you can echo mysql_error() on the next line after the line with your mysql_query() statement to find out why the query is failing.

[Nuv]

Ah after doing that i realized that it won't its throwing errors where there is ' in between names, like HODGE'S FUNERAL CHAPEL.

 

So the solution for it is to use " and i will have to escape it right ?

[Pikachu2000]

All all data should be validated and sanitized. String type data should be escaped using mysql_real_escape_string before it is allowed into a query string.

[Nuv]

Oh yeah. I do that always except when i am the only one to use that script.

[Pikachu2000]

As you now see, it doesn't really matter who uses the script. Quotes not only allow SQL injection, they can break query strings.

[Nuv]

Yeah

 

Will always remember that. Thankyou