Debugging help needed

**CSU-Bill** · Jul 26, 2011 18:42

This is the error message I received:
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in signup_ck.php on line 40

I am trying to teach myself to use PHP and MySQL together. I have a site that needs a special area that should have a login, so I found a set of scripts, and started playing with the code. Now I get an error message. This is the file listed in the error message.

I know this is not nice code, but the scripts I found were using HTML3 and I tried to clean things up using HTML5 and CSS.

Any guidance will be welcome.

Code MySQL:

<?php
 
include "include/db_login.php";// database connection details stored here
// Collect the data from post method of form submission // 
$userid=$_POST['userid'];
$password=$_POST['password'];
$password2=$_POST['password2'];
$todo=$_POST['todo'];
$email=$_POST['email'];
$name_last=$_POST['name_last'];
$name_first=$_POST['name_first'];
 
?>
<!doctype html>
<html>
 
<head>
<meta charset="UTF-8">
<title>Check Signup Data</title>
</head>
 
<body >
 
<?php
if(isset($todo) and $todo=="post"){
 
$status = "OK";
$msg="";
 
// if userid is less than 5 char then status is not ok
if(!isset($userid) or strlen($userid) <5){
$msg=$msg."User id should be 5 or more than 5 char length<br>";
$status= "NOTOK";}					
 
if(!ctype_alnum($userid)){
$msg=$msg."User id should contain alphanumeric characters only<br>";
$status= "NOTOK";}					
 
 
if(mysql_num_rows(mysql_query("SELECT userid FROM member_tbl WHERE userid = '$userid'"))){
$msg=$msg."Userid already assigned. Please select another userid.<br>";
$status= "NOTOK";}					
 
 
if ( strlen($password) <8 ){
$msg=$msg."Password must be 8 or more than 8 char length<br>";
$status= "NOTOK";}					
 
if ( $password <> $password2 ){
$msg=$msg."Both passwords do not match.<br>";
$status= "NOTOK";}					
 
 
if($status<>"OK"){ 
echo "$msg<br><input type='button' value='Retry' onClick='history.go(-1)'>";
}else{ // if all validations are passed.
$query=mysql_query("insert into member(userid,password,email,name_last,name_first) values('$userid','$password','$email','$name_last','$name_first')");
echo "Welcome, You have successfully submitted new member information<br><br><a href=login.php>Click here to login</a><br>";
}
}
?>
 
</body>
 
</html>

**DMWDave** · Jul 26, 2011 18:49

Are you sure your have connected to the database correctly?

Also

if(!ctype_alnum($userid)){
$msg=$msg."User id should contain alphanumeric characters only<br>";
$status= "NOTOK";}

You should stop processing at this point, as $userid could contain injected SQL which nasty pasties can insert horrible commands to your server, ie DELETE FROM USERS.

same here

query("insert into member(userid,password,email,name_last,name_first) values('$userid','$password','$email','$name_last','$name_first')");

Try adding mysql_real_escape_string to escape any characters that will allow for SQL inject. Also consider casting your $userid to an int, ie $userid = (int)$_POST['userid'] it will then no longer require escaping.

**CSU-Bill** · Jul 27, 2011 05:39

First, thanks for the quick response. Posting that message was the last thing I did before shutting down for the night.

I have an error message if I am not connected to the database. I have tested this and it worked, but may need some improvement. As I said, I am a rank beginner with PHP, and this is my first attempt at working with MySQL.

PHP Code:


<?php

error_reporting(E_ERROR | E_WARNING | E_PARSE | E_NOTICE);  //report errors



$dbservertype='mysql';



$servername='myservername';   



$dbusername='myusername';

$dbpassword='mypassword';



$dbname='mydatabasename';



////////////////////////////////////////

////// DONOT EDIT BELOW  /////////

///////////////////////////////////////



connecttodb($servername,$dbname,$dbusername,$dbpassword);

function connecttodb($servername,$dbname,$dbuser,$dbpassword)

{

global $link;

$link=mysql_connect ("$servername","$dbuser","$dbpassword");

if(!$link){die("Could not connect to MySQL");}

mysql_select_db("$dbname",$link) or die ("could not open db".mysql_error());

}

?>

As for the remainder of your message, that is obviously some of the guidance I need. I will have to study this and incorporate it into my code.

**CSU-Bill** · Jul 27, 2011 20:04

DMWDave,

You said I should stop processing if the userid failed the alphanumeric check. I changed that line of code to read:

PHP Code:


if(!ctype_alnum($userid)){die("User id should contain alphanumeric characters only<br>");}

I then tested by entering Webmaster, processing stopped and I was given the message I expected if I tried to use non alphanumeric characters.

What am I doing wrong?

**Mittineague** · Jul 27, 2011 21:51

Maybe there's a leading or trailing space?

If you trim($var) does it work?

If not, try var_dump($var) to see what it is.

**CSU-Bill** · Jul 28, 2011 06:02

I will check using trim when I get back to my computer(in about 8 hours). After I play around with it maybe I can make some progress.

**StarLion** · Jul 28, 2011 06:26

Back to the original problem...
Have you run the query to make sure it doesnt throw an error? The reason i say that is this...compare the lines....

Code:

if(mysql_num_rows(mysql_query("SELECT userid FROM member_tbl WHERE userid = '$userid'"))){

Code:

$query=mysql_query("insert into member(userid,password,email,name_last,name_first) values('$userid','$password','$email','$name_last','$name_first')");

*sings song* One of these things is not like the other....

**CSU-Bill** · Jul 28, 2011 14:06

StarLion,

Thanks. I have fixed that. Will test things again and see if I can figure out where my next issues will be. (I suspect I will have many as I learn some new things.)

**CSU-Bill** · Jul 28, 2011 19:31

I am now getting past the error with the non-alphanumeric characters, and have reached this error:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in signup_ck.php on line 39

That line currently reads:

if(mysql_num_rows(mysql_query("SELECT userid FROM member_tbl WHERE userid = '$userid'"))){$msg=$msg."Userid already assigned. Please select another userid.<br>";

I looked at PHP.net and I thought I was checking the database to see if the userid was already in use. The database table member_tbl is currently empty, so I should expect to get my "Userid already assigned." message.

I did notice the PHP.net did not show an example of this using IF. Am I using the wrong function?

**CSU-Bill** · Jul 28, 2011 19:42

Almost forgot.

I entered this into my code:
$trimmed = trim($userid);
var_dump($trimmed);

The result was: string(1) "0"

Can I now enter something like $trimmed = $userid; to get the trimmed userid ready for the remainder of the code?

**StarLion** · Jul 29, 2011 05:08

I need a schema for your table to be able to debug this further.

**CSU-Bill** · Jul 29, 2011 05:27

I actually have two tables, login_tbl and member_tbl.
login_tbl has:
`id` INT(6) NOT NULL AUTO_INCREMENT
`user_id` VARCHAR(10) NOT NULL
`ip` VARCHAR(50) NOT NULL
`time` DATETIME NOT NULL
`status` CHAR(3) NOT NULL
' PRIMARY KEY (`id`)

member_tbl has:
`user_id` VARCHAR(10) NOT NULL
`password` VARCHAR(10) NOT NULL
`email` VARCHAR(50) NOT NULL
`name_last` VARCHAR(50) NOT NULL
`name_first` VARCHAR(50) NOT NULL
PRIMARY KEY (`user_id`)

I have built a form to enter the member data.

Code:

<form name="form1" action="signup_ck.php" onsubmit="return validate(this)" method="post">
<p>User ID (alphanumeric  chars only): <input class="right" type="text" name="userid"><br></p>
<p>Password: <input type="password" name="password"><br></p>
<p>Re-enter Password: <input type="password" name="password2"><br></p>
<p>Email: <input type="text" name="email"><br></p>
<p>Last Name: <input type="text" name="name_last"><br></p>
<p>First Name: <input type="text" name="name_first"><br></p>
<p><input type=hidden name=todo value=post></p>
<p><input type=submit value=Submit></p>
</form>

Hope this is what you are looking for.

**StarLion** · Jul 29, 2011 05:36

Yup, because i see the problem.
*sings song again....*

Code:

member_tbl has:
`user_id` VARCHAR(10) NOT NULL

Code:

if(mysql_num_rows(mysql_query("SELECT userid FROM member_tbl WHERE userid = '$userid'"))){

One of these things is still not like the other....

(Future Hint: The 'is not a mysql resource' error most normally means "Your query was rejected by the server". If you encounter this in the future, run the query through your database engine and you'll find out why. [In this case, mysql would have barked "Field userid does not exist"])

**CSU-Bill** · Jul 29, 2011 06:10

StarLion,

Thank you. I am no longer getting warning messages. Now i am just getting the messages I have inserted into my code.

Can I run each line of code via phpMyAdmin to catch my errors?

**StarLion** · Jul 29, 2011 06:46

Any query you can run through PHPmyAdmin. You'll have to supply some fake data if you want it to work correctly (IE: Look at your query. phpMyAdmin is going to have no idea what $userid is supposed to be (and will actually handle it as a string literal), so if you want to test it with user_id 1, you'll have to put into phpMyAdmin SELECT userid FROM member_tbl WHERE userid = '1' )

**CSU-Bill** · Jul 29, 2011 07:50

StarLion,

Great! I will put in some entries for a couple of different "members" and see what I can learn.

If I don't get this started tonight, it will be next week before i can do anything with it. I will be visiting my newborn grandson this weekend.

**CSU-Bill** · Jul 30, 2011 20:09

Now, I am getting this error:

Parse error: syntax error, unexpected $end in test_form_ck.php on line 46

The last line in this file is line 45.

Code:

<?php
// file name is test_form_ck.php
include "include/db_login.php";// database connection details stored here
// Collect the data from post method of form submission // 
$userid=$_POST ['userid'];
$password=$_POST['password'];
$password2=$_POST['password2'];
$todo=$_POST['todo'];
$email=$_POST['email'];
$name_last=$_POST['name_last'];
$name_first=$_POST['name_first'];

?>
<!doctype html>
<html>

<head>
<meta charset="UTF-8">
<title>TEST Signup FORM</title>
</head>

<body >

<?php
if(isset($todo) and $todo=="post"){
$status = "OK";
$msg = "";

// Set status to NOTOK if userid is less than 5 chaqracters
if(!isset($userid) or strlen($userid) <5){
$msg=$msg."User id should be 5 or more than 5 char length<br>";
$status = "NOTOK";}	

if($status<>"OK"){ 
echo "$msg<br><input type='button' value='Retry' onClick='history.go(-1)'>";
}else{ // if all validations are passed
$query=mysql_query("insert into member_tbl(user_id,password,email,name_last,name_first) values('$userid','$password','$email','$name_last','$name_first')");
echo "Welcome, You have successfully submitted new member information<br><br>";
}

?>

</body>

</html>

line 45 is the closing html tag.

**DMWDave** · Jul 30, 2011 20:12

Missing an end brace,

Originally Posted by CSU-Bill

Now, I am getting this error:

Parse error: syntax error, unexpected $end in test_form_ck.php on line 46

The last line in this file is line 45.

Code:

<?php
// file name is test_form_ck.php
include "include/db_login.php";// database connection details stored here
// Collect the data from post method of form submission // 
$userid=$_POST ['userid'];
$password=$_POST['password'];
$password2=$_POST['password2'];
$todo=$_POST['todo'];
$email=$_POST['email'];
$name_last=$_POST['name_last'];
$name_first=$_POST['name_first'];

?>
<!doctype html>
<html>

<head>
<meta charset="UTF-8">
<title>TEST Signup FORM</title>
</head>

<body >

<?php
if(isset($todo) and $todo=="post"){
$status = "OK";
$msg = "";

// Set status to NOTOK if userid is less than 5 chaqracters
if(!isset($userid) or strlen($userid) <5){
$msg=$msg."User id should be 5 or more than 5 char length<br>";
$status = "NOTOK";}	

if($status<>"OK"){ 
echo "$msg<br><input type='button' value='Retry' onClick='history.go(-1)'>";
}else{ // if all validations are passed
$query=mysql_query("insert into member_tbl(user_id,password,email,name_last,name_first) values('$userid','$password','$email','$name_last','$name_first')");
echo "Welcome, You have successfully submitted new member information<br><br>";
}

} <-- You missed an end brace ;)
?>

</body>

</html>

line 45 is the closing html tag.

**StarLion** · Jul 31, 2011 04:31

http://www.sitepoint.com/forums/php-...ms-768872.html

**CSU-Bill** · Jul 31, 2011 18:35

DMWDave, Thanks for pointing out the missing end brace. It now works, and I can start setting up the proper checks and tests to get this going.

StarLion, Thanks for pointing me to the list of common problems. That should give me an idea of where to look for the errors in my code.

**deathshadow60** · Jul 31, 2011 23:45

Some further advice:

1) STOP dropping in and out of php parsing mode. You're just making the code more complex for no good reason. (But again, I'm the guy who thinks <?php and ?> should be removed from the language!)

2) if you're going to copy values into variables, SANITIZE them unless you're using prepared queries. (which you aren't).

3) you don't have to say $msg=$msg." -- $msg.=" is just fine.

4) Do not process unused values until you NEED them... otherwise it's a waste of execution time.

5) INDENT... your missing closes would stand out like a sore thumb then. Simply adding tabs and a few carriage returns can work WONDERS. A few extra spaces in there couldn't hurt either... You've got this... oddball placement of closing brackets and other bits and pieces of the code that's just BEGGING for you to have those types of errors.

6) STOP using double-quotes on your strings. They take longer, and make the code often harder to deal with. (again, WHAT is with people doing that?!?)

7) there is no "and" or "or" for comparisons. Did you mean && and ||?
PHP: Comparison Operators - Manual

8) you lack enough parenthesis in your evaluations. PHP screws up comparisons as && is also a valid compare.... which will run BEFORE your <5

SO... my version would probably looks something more like this:

Code:

<?php

function sanitizeFromPost($postName){
	if isset($_POST[$postName]) {
		$str=(
			get_magic_quotes_gpc() ?
			stripslashes($_POST[$postName]) :
			$_POST[$postName]
		);
		return (
			function_exists('mysql_real_escape_string') ?
			mysql_real_escape_string($str) :
			addslashes($str)
		);
	} else return '';
}

// file name is test_form_ck.php
include "include/db_login.php";// database connection details stored here
// Collect the data from post method of form submission // 

echo '
<!doctype html>
<html><head>

<meta charset="UTF-8">

<title>TEST Signup FORM</title>

</head><body>';

if (
	isset($_POST['todo']) &&
	($_POST['todo']=="post")
) {
	$msg='';
	
	$userid=sanitizeFromPost('userid');
	if (strlen($userid)<5) {
		$msg.='User ID should be 5 or more than 5 char length<br>';
	}

	if (empty($msg)) {
		$password=sanitizeFromPost('password');
		$password2=sanitizeFromPost('password2');
		$email=sanitizeFromPost('email');
		$name_last=sanitizeFromPost('name_last');
		$name_first=sanitizeFromPost('name_first');
		$query=mysql_query("
			INSERT INTO member_tbl
			(user_id,password,email,name_last,name_first)
			VALUES
			('$userid','$password','$email','$name_last','$name_first')
		");
		echo "Welcome, You have successfully submitted new member information<br><br>";
	} else {
		echo $msg.'<br><input type="button" value="Retry" onClick="history.go(-1)">';
	}
	
}

echo '
</body></html>';

?>

Off Topic:

I'd also suggest kicking the HTML 5 nonsense to the curb since it's doing nothing but setting coding practices back a decade or more...

But of course, no one ever listens to poor Zathras no, he's quite mad they say. It is good that Zathras does not mind, has even grown to like it.

I'd also kick the mysql_ functions even harder, and switch at LEAST to mySQLi, or even better PDO. This isn't 2003.

Oh, also notice I got rid of the ok variable. If you add a error message, there are errors; as such all you have to do is check if $msg is empty. No need for the extra variable. I made my sanitize function return an empty string, so for the userid check all you have to do is check the length.

**CSU-Bill** · Aug 1, 2011 07:07

deathshadow60,

I have read your message, and much of what you have is beyond my current knowledge level. Google is my friend, so I am studying.

I just checked, and I do have mySQLi and PDO available. How does this affect the code used for files shuch as the one I am working on now?

**Mittineague** · Aug 1, 2011 11:06

The "i" stands for "improved". It allows you to write much more secure code.

The "P" stands for "portable". It allows you to write much more secure code and to use the same code with other databases.

So if you think you will always use a MySQL database then MySQLi would probably be OK and would definately be better to use.

But if you think you might ever be working with other databases and don't want to rewrite code, PDO would be the wise choice.

And PDO works with MySQL too, so no harm using it now.

**CSU-Bill** · Aug 1, 2011 11:53

What are the differences in code for using PDO?

Where do I find some instructions for using PDO?

Is this what I find with Google is Python Database Objects?

**CSU-Bill** · Aug 1, 2011 19:14

deathshadow60,

I copied your code to see if it would run in my environment, and it did not. I get a:
Parse error: syntax error, unexpected T_ISSET, expecting '(' in test_form_ck_r01.php on line 4

Not sure why it does not work. Maybe something is not enabled on my site, or the config file is not set correctly.

I did find information on PHP Data Objects, and I have started studying the information.

I appreciate the assistance. I will continue working with this code.

PHPINFO says: PDO Driver for MySQL, client library version 5.0.92, and PHP Version 5.2.17.

User Tag List

Thread: Debugging help needed

Thread Tools

Display

Debugging help needed

Bookmarks

Bookmarks

Posting Permissions