stackoom
  简体   繁体   中英

How mysql_num_rows use in mysqli?

 原文  2013-10-02 05:56:47       php/ mysqli

Question

I have search query mysql, but because of SQL INJECTION I changed my code into MySqli. I used

if(mysql_num_rows($result)>= 1)

before and I changed it into

if(($result->num_rows)>= 1)

My problem is even there are match value in query, it always echo no results. Why is that? 

<?php
$mysqli = new mysqli("localhost", "root", "", "app");
$result = $mysqli->query="SELECT *,SUM(unit_cost*quantity) AS total_amount FROM procurement WHERE counter LIKE '%".$search."%' 
OR item_description LIKE '%".$search."%' OR fund_source LIKE '%".$search."%' OR quantity LIKE '%".$search."%' OR mode_of_procurement LIKE '%".$search."%' 
OR division LIKE '%".$search."%' OR section LIKE '%".$search."%' GROUP BY counter";

if(($result->num_rows)<= 0){
echo "</br><div style='margin:0 auto;background:#fff;padding:3px;color:#2086e4;font-size:11px;font-weight:bold;text-align:center;'>
No Result for :<font color='red' style='text-transform:uppercase'>&nbsp; &nbsp;".$search."</div>";

//echo 'No Result for <font color="red">'.$search.'</font>';
}
if(($result->num_rows)>= 1){
echo'</br><div style="margin:0 auto;background:#fff;padding:3px;color:#2086e4;font-size:11px;font-weight:bold;text-align:center;">
Result for :<font color="red" style="text-transform:uppercase">&nbsp; &nbsp;'.$search.'</font></div>';
    echo"<div id='id3' style='margin-top:10px;'><table id='tfhover' class='tftable' border='1 style='text-transform:uppercase;'>
        <thead>
        <tr>
        <th></th><th>Item Description</th>
        <th>Fund Source</th>
        <th>Unit</th>
        <th>Unit Cost</th>
        <th>Quantity</th>
        <th>Total Amount</th>
        <th>Mode of Procurement</th>
        <th>Supplier</th>
        <th>P.O #</th>
        <th>P.O Date</th>
        <th>Division</th>
        <th>Section</th>
        </tr></thead><tbody>";

    while($row = $result->fetch_assoc()){
echo'<tr>
        <td><a href="'.$_SERVER['PHP_SELF'].'?pn='.$row["counter"].'" onclick="return confirm(\'Really want to delete?\');"><img src="images/del.png" border"0" width="15" height="15"></a></td>
        <td>'.$row['item_description'].'</td>
        <td>'.$row['fund_source'].'</td>
        <td>'.$row['unit'].'</td>
        <td>'.$row['unit_cost'].'</td>
        <td>'.$row['quantity'].'</td>
        <td>'.$row['total_amount'].'</td>
        <td>'.$row['mode_of_procurement'].'</td>
        <td>'.$row['supplier'].'</td>
        <td>'.$row['po_number'].'</td>
        <td>'.$row['po_date'].'</td>
        <td>'.$row['division'].'</td>
        <td>'.$row['section'].'</td></tr></tbody>';
}
}
else{
}
?>

3 answers

solution1
 2  2013-10-02 06:01:09

You are setting a query property on the $mysqli object, instead of calling the query() method . Use 

$result = $mysqli->query("some sql");

instead.

Furthermore, using any database module this way can (and probably will) result in SQL injections. You are still building a query string by string concatenation; whether it's mysql , mysqli or something else, by this route you will always have SQL injection vulnerabilities.

solution2
 1  2013-10-02 06:08:11

You just managed to get EVERYTHING wrong.

First of all, you didn't make your code any secure. "Mysqli" is not a magic chant that makes everything safe just by its presence. To make your code secure you have to use prepared statements

Second, you don't need no number of rows at all. You should quit that old dirty approach of mixing HTML with SQL and learn to use some templates . With templates you will need no dedicated function to know if you get any rows at all.

solution3
 0  2014-01-20 10:31:45

step1: echo it like: 

echo $result = $mysqli->query="SELECT *,SUM(unit_cost*quantity) AS total_amount FROM procurement WHERE counter LIKE '%".$search."%' 
OR item_description LIKE '%".$search."%' OR fund_source LIKE '%".$search."%' OR quantity LIKE '%".$search."%' OR mode_of_procurement LIKE '%".$search."%' 
OR division LIKE '%".$search."%' OR section LIKE '%".$search."%' GROUP BY counter";

comnt all other lines and run, copy the output and paste into your sql area of phpmyadmin. if it display any result means the problem related with numrow condition only. before that make sure u have data to display for the condition. (if dar is no output in SQL and u have data to display for your search key, problem with your SQL fetch statement in PHP)

2:now change echo from first and add it into numnow obj like: echo $xxx=$result->num_rows; do the same procedure 

if($xxx==0) {Action 1} 
elseif($xxx>=1){Action 2}
else{Action 3}

Happy coding

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question use mysql_num_rows for two tables How to get mysql_num_rows with PDO? how to print mysql_num_rows? update mysql_num_rows to new Mysqli standard: mysqli_stmt_num_rows MySQL mysql_num_rows(); problem with mysql_num_rows mysql_num_rows() error Mysql_num_rows() issues mysql_num_rows error mysql_num_rows and condition
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM