Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource

[buddhabadboy]

Hello all,
I hope I'm putting this in the right Forum.
I'm a Systems Admin, that's trying to modify some existing php code in the plugin system (register_addmember_process)

We have a proccess that needs to verify a few options for a user to have access to the boards. Whenever I put in this new modified code, I get this:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /register.php(358) : eval()'d code on line 30

Can anyone help? here's the code I put in:

$aff_db_name = "xxx";
$aff_db_user = "xxx";
$aff_db_pass = "xxx";
$aff_db_host = "xxx";
$vip_username = $vbulletin->GPC['username'];
$vip_pass = $_REQUEST["pss"];
$dbconn = mysql_connect($aff_db_host, $aff_db_user, $aff_db_pass);
if (!$dbconn) {
die ('Could not connect: ' . mysql_error());
}
mysql_select_db($aff_db_name, $dbconn);

$query = "SELECT email, password, passcode FROM vippass WHERE passcode='$vip_username' AND password ='$vip_pass'";
$query1 = "SELECT * FROM vipmember WHERE passcode='$vip_username'";
$query2 = "SELECT * FROM transaction WHERE transtype='SALE' AND passcode='$vip_username' AND date >= DATE_SUB(CURDATE(),INTERVAL 90 DAY)";
$result = mysql_query($query, $dbconn);
$result1 = mysql_query($query1, $dbconn);
$result2 = mysql_query($query2, $dbconn);

if (mysql_num_rows($result) >= 1 AND mysql_num_rows($result1) >= 1) {
$row = mysql_fetch_assoc($result);
$userdata->set('email',$row['email']);
}
elseif (mysql_num_rows($result) >= 1 AND mysql_num_rows($result2) >= 1) {
$row = mysql_fetch_assoc($result);
$userdata->set('email',$row['email']);
}
else {
eval(standard_error("The User Name or Password did not match, or not VIP Member."));
}
mysql_close($dbconn);

[MoT3rror]

You should use the inbuilt db functions for one. Second your code doesn't protect against sql injection.

Here is some links for it

Escaping
The unexpected Sql Injection

When you start using the vbulletin db functions, your page will come up with a db error if there is one which is probably why you are getting that code.

[Dismounted]

Also see this article.

[buddhabadboy]

thanks for the warning, but the forum isn't a major one of ours, so we're not all that worried about sql injection. Also, the information we get as a condition for registration deals with a different database.

Is there any way to know what is causing this problem? OR, better yet, is there any way i can "pass" the results of:

mysql_num_rows($result2) AND $result2

on the return page, so i can see what is going on? (log file??)

thanks!

[MoT3rror]

Like I said you are getting a database error. Use mysql_error(); to get the error text.