1

This is the code I have, but I get this error when I try to get variable from the url: Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource

The URL variable DEVID is a long string of characters, numbers, dashes, and underscores. Any ideas on what is wrong?

<?php
$con = mysql_connect("server","username","password");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("database", $con);

$result = mysql_query("SELECT * FROM $user WHERE DEVID=$DEVID");


while($row = mysql_fetch_array($result))
  {
  if (($row["FN"]) == NULL){
echo '<meta http-equiv="refresh" content="1;url=../register/default.php?user=';
echo $_GET["user"];
echo '&DEVID=';
echo $_GET["DEVID"];
echo '">Please hold, we are taking you to the registration page.<br/><br/>';
}

  }


mysql_close($con);
?>
Improve this question
6
  • echo mysql_error(); right after your mysql_query and google about sql injections. PS: any reason to show user please hold page instead of immediate redirect? Commented Jan 8, 2012 at 4:46
  • Is this your full code? If it is, I don't see any variables named $user or $DEVID. If by $user you meant a table named user, then remove the $ sign, and add another check just before the while loop - if ($result)....... Commented Jan 8, 2012 at 4:46
  • I was asked to put in the please hold.. Commented Jan 8, 2012 at 4:51
  • the variables are in the URL... They come to the page with the URL formatted like default.php?user=name&DEVID=m0mvtRLb3Mm9c8ZlKa8_S2J5L-J35caA7eqQHb_DQ1a4pbOMmag0Mrt_Nz72VH48PQcMmt44Yxaic_NRXQqW-b3nSGgs3VLBp21Ii942DaZIhW0PqNi1wERne1jT7to30 Commented Jan 8, 2012 at 4:53
  • Do you GET[] them from the URL in some other piece of code? You need to do that before you use them, I believe. Like this: $user = GET['user']; And this is a SQL injection waiting to happen... I'd make sure to scrub the variables at least. Commented Jan 8, 2012 at 4:54

3 Answers 3

Reset to default
1

If $DEVID is a VARCHAR field then you'll need single quotes around it in your SQL query:

SELECT * FROM $user WHERE DEVID='$DEVID'
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Where is $DEVID being set before the query? You're not using PHP register_globals, and that's coming from a query-string variable are you? This is 2012! When are people going to stop using that?

Improve this answer

Comments

0

Do the variables $user and $DEVID has values? Have they been initialized ?

Assuming that $user and $DEVID has been initailized the error is happening because mysql_query is returning false as the SQL query generates error when executed.

Moreover you should not use variables directly obtained from the URL. Clean the value for possible presence of single qoutes. Use mysql_real_esacape_string(). Replace the mysql_query line with the below to see the SQL error if it occurs.

$DEVID=mysql_real_escape_string($DEVID);
$result = mysql_query("SELECT * FROM $user WHERE DEVID='$DEVID'") or die(mysql_error());
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.