please someone explain me this php script

[varun7952]

function quote_smart($value, $handle) {

 

  if (get_magic_quotes_gpc()) {

      $value = stripslashes($value);

  }

 

  if (!is_numeric($value)) {

      $value = "'" . mysql_real_escape_string($value, $handle) . "'";

  }

  return $value;

}

 

how this script works and this script not linked to any variable or any other place so how this scripts works without linked or connected to anywhere

(sorry if this ques is dumb but i m newbie in php

[SergeiSS]

This is just a function.

1. It checks if "magic quotes" are switched on. If NO, it add slashes to a $value.

2. If $value is not numeric function mysql_real_escape_string adds special characters.

 

BTW I just name you functions from this script. You can do it by yourself if go to http://www.php.net/manual/en/ an enter funciton names.

 

These actions are needed in order to prevent SQL injection.

[varun7952]

can any one tell me where is the problem in this script i gt the error

 

Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\wamp\www\HW\test first login.php on line 44

 

and in username txt box whn i opened page its shows default value " i cant find where this " comes from please help me

 

 

<HTML>
<HEAD>
<TITLE>New Document</TITLE>
</HEAD>
<BODY>
<?php
$uname= "";
$pword= "";
$errormessage="";
  //==========================================
//	ESCAPE DANGEROUS SQL CHARACTERS
//==========================================

function quote_smart($value, $handle) {

   if (get_magic_quotes_gpc()) {
       $value = stripslashes($value);
   }

   if (!is_numeric($value)) {
       $value = "'" . mysql_real_escape_string($value, $handle) . "'";
   }
   return $value;
}

if($_SERVER['REQUEST_METHOD']=='POST'){
$uname =$_POST['user'];
$pword =$_POST['pass'];
$uname=htmlspecialchars($uname);
$pword=htmlspecialchars($pword);

// connection with database



$connection=mysql_connect("127.0.0.1","root","");
$db=mysql_select_db("addressbook",$connection);

if($db){
$uname=quote_smart($uname,$connection);
$upword=quote_smart($pword,$connection);
$SQL="SELECT * FROM address_data WHERE First_name=$uname AND Last_name=$pword";
$output=mysql_query($SQL);
$num_rows=mysql_num_rows($output);


if($output){
            if($num_rows=1){
            session_start();
            $_SESSION['login']="1";

            echo "logged in as".$uname;
             }
            else {
             ession_start();
             $_SESSION['login']="";
              echo $errormessage="invalid username or password";
             }
        }  else{
        echo $errormessage="invalid login";
}
}
           mysql_close($connection);
           }
?>

<FORM NAME ="form1" METHOD ="POST" ACTION ="">

Username: <INPUT TYPE = 'TEXT' Name ='user'  value="<?PHP echo $uname;?>" maxlength="20">
Password: <INPUT TYPE = 'TEXT' Name ='pass'  value="<?PHP echo $pword;?>" maxlength="16">

<P align = center>
<INPUT TYPE = "Submit" Name = "Submit1"  VALUE = "Login">
</P>

</FORM>

<P>
<?PHP print $errormessage;?>
</BODY>
</HTML>

[Pikachu2000]

When posting code, enclose it within the forum's

 . . . 

BBCode tags.

[ddubs]

mysql_query will return false on error. False is a boolean value. Therefore if say

$output = mysql_query($sql);

SQL query fails and you don't check properly and just pass it to mysql_num_rows(); then it will yell about getting a boolean value (the value: false, because the query failed).

 

Perhaps the DB table "address_data" doesn't contain any data?

[Pikachu2000]

An empty table won't cause an error; just an empty results set. It's more than likely because there are no quotes around the variables containing string values in the query string.