Your query probably has an error, in which case mysql_query will return false For this reason, you should not group commands like this. Do it like this: $result = mysql_query("..."); if (!$result) { echo mysql_error(); die(); } // or some other error handling method // like, a generic error message on a public site $count = mysql_num_rows($result) Also, you have a number of SQL injection vulnerabilities in your code. You need to sanitize the incoming $search variable: $search = mysql_real_escape_string($_POST"search"); ... mysql_query(".... WHERE $title LIKE '%$search%'") if $start and $end come from outside, you also need to sanitize those before using them in your LIMIT clause.
You can't use mysql_real_escape_string() here, because they are numeric values. Use intval() to make sure they contain only numbers Using a dynamic column name is also difficult from a sanitation point of view: You won't be able to apply mysql_real_escape_string() here, either. You should ideally compare against a list of allowed column names to prevent injection.
Your query probably has an error, in which case mysql_query will return false. For this reason, you should not group commands like this. Do it like this: $result = mysql_query("..."); if (!$result) { echo mysql_error(); die(); } // or some other error handling method // like, a generic error message on a public site $count = mysql_num_rows($result); Also, you have a number of SQL injection vulnerabilities in your code.
You need to sanitize the incoming $search variable: $search = mysql_real_escape_string($_POST"search"); ... mysql_query(".... WHERE $title LIKE '%$search%'"); if $start and $end come from outside, you also need to sanitize those before using them in your LIMIT clause. You can't use mysql_real_escape_string() here, because they are numeric values. Use intval() to make sure they contain only numbers.
Using a dynamic column name is also difficult from a sanitation point of view: You won't be able to apply mysql_real_escape_string() here, either. You should ideally compare against a list of allowed column names to prevent injection.
1 please avoid mysql_real_escape_string() . Use mysql prepared statements. – Shashwat Apr 3 at 12:36 @Shashwat what's so wrong with escaping strings?
– Col. Shrapnel Apr 3 at 12:43 you can miss escaping a variable. But if you follow prepared statements you are assure that it won't happen.
Good Design.. – Shashwat Apr 3 at 13:08 check this: stackoverflow. Com/questions/732561/… – Shashwat Apr 3 at 13:09 2 @Shashwhat while there are many advantages to PDO or mysqli, there is nothing essentially wrong with the mysql_ family of functions. Also, note that prepared statements will not help with a dynamic table name.
– Pekka Apr 3 at 13:09.
You have to use GET method in your form, not POST. Mysql_num_rows doesn't make sense here. If you're using limit, you already know the number*.
If you want to know number, you shouldn't use limit nor request rows but select number itself. // get your $title safe $fields = array("name","lastname"); $key = array_search($_GET'title',$fields)); $title = $fields$key; //escape your $search $search = mysql_real_escape_string($_GET'search'); $sql = "SELECT count(*) FROM members WHERE $title LIKE '%$search%'"; $res = mysql_query($query) or trigger_error(mysql_error(). " in ".
$sql); $row = mysql_fetch_row($res); $members_found = $row0 in case you need just 5 records to show on the page, no need for mysql_num_rows() again: // Get LIMIT params $member_number = 5; $start = 0; if (isset($_GET'page')){ $start = abs($_GET'page'-1)*$member_number; } // get your $title safe $fields = array("name","lastname"); $key = array_search($_GET'title',$fields)); $title = $fields$key; //escape your $search $search = mysql_real_escape_string($_GET'search'); $sql = "SELECT count(*) FROM members WHERE `$title` LIKE '%$search%' LIMIT $start, $member_number"; $res = mysql_query($query) or trigger_error(mysql_error(). " in ". $sql); while($row = mysql_fetch_assoc($res){ $data = $row; } Now you have selected rows in $data for the further use.
This seems correct (and safe! ) to me. Anyone care to explain the downvotes?
– Arjan Apr 3 at 14:13 they can't downvote comments, but they don't like the truth. So, only answer votes they have :) – Col. Shrapnel Apr 3 at 14:16 no, it's probably because you've become a bit of a target.
See: meta.stackoverflow. Com/questions/85797/can-i-dispute-a-downvote – Otaku Apr 3 at 18:11 @Arjan thank you for your support, man. I know I did behave not so smart in this situation, but you was only one who judged fairly and who supported me on meta.
I heartily thank you. – Col. Shrapnel Apr 3 at 21:50 And only now I see that you got rid of the horizontal scrollbars!
:-) Well, peace, please! – Arjan Apr 37 at 7:38.
This kind of error generally indicates there is an error in your SQL query -- so it has not been successful, and mysql_query() doesn't return a valid resource ; which, so, cannot be used as a parameter to mysql_num_rows(). You should echo your SQL query, in order to check if it's build OK. And/or, if mysql_query() returns false, you could use mysql_error() to get the error message : it'll help you debug your query ;-) Typically, your code would look a bit like this : $query = "select ..."; // note : don't forget about escaping your data $result = mysql_query($query); if (!$result) { trigger_error(mysql_error()." in ".
$query); } else { // use the resultset }.
– Pascal MARTIN Apr 3 at 12:06 actually the $mumber_number is 5 and I have a text field which is named search but the error appears when I first open the page in browser so I don't write anything in search box. If I write, nothing changes too. And $start= ($page-1)*$member_number; I use it with $_GET.
– echophp Apr 3 at 12:14 You shouldn't execute that query when no data has been submitted, then. – Pascal MARTIN Apr 3 at 12:18 Comments never being executed. You have to code desired behavior, not comment it.
– Col. Shrapnel Apr 3 at 12:21.
A note on the following usage; that suggest to use several MySQL Functions to get the number of Table Records. I omitted the actual connection to MySQL and the execution of the query, but you get the idea. I did some tests and on a fairly high traffic web site, one that executes several queries quite often and found that using this combination of MySQL Functions can actually result in wrong results.
For example, assume I have two queries to get the number of Table Records in two different Tables. So in essence, we are executing 4 queries ( 2 queries for each Table ). If two different requests come in through PHP, your going to run into problems.
Note than when I mean request, I mean two different clients requesting your PHP page. At this point, you see the race condition that occurred. While Request 1 was being executed, Request 2 came in.
I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.