0

I have spent the last hour and a half looking over this code and I cannot figure out what is wrong. It does not return any errors, and the while loops called with the query work fine, but mysql_num_rows will not work.

Before I reading the code I want you to know that I have tried taking out all of that extra mess in the query, such as Order By but it still throws the warning.

The Code:

    <?php
    global $_SESSION,$os_DB,$ui,$count;
    //Loggedin
    if($_SESSION['login']!=1)
    {
        print "You must be logged in.";
        include($root . 'footer.php');
        exit;
    }
    //Check banned account
    elseif($ui['level']=="2"){
        print "Sorry but your account is banned.";
        include($root . 'footer.php');
        exit;
    }
    //Check email verified
    elseif($ui['email_check']=="0"){
        print "Sorry but your account has not been verified, to verify your account now please visit <a href='index.php?index=verify&email=".$ui['email']."'>THIS LINK</a>.";
        include($root . 'footer.php');
        exit;
    }
    date_default_timezone_set('America/New_York');
    $country= $ui['country'];
    $dates=mysql_query("SELECT * FROM `contest` WHERE `countries` LIKE '%$country%'");
    $timestamp = time();

    $getcontests = $os_DB->query("SELECT * FROM contest WHERE date_1 <= '$timestamp' AND date_2 >= '$timestamp' AND countries LIKE '%$country%'");
        $num = $os_DB->num($getcontests);

            if($num == 0){
            print"<td colspan='4'>There are currently no active contests</td>";
            }
            else
            {

    while ($dat = mysql_fetch_array($dates)) {
    $tname = preg_replace('/\s+/', '', $dat['name']);
///////////Problem Area vvvv////////////////////////
    $places="(SELECT * FROM `".$tname."_contest` WHERE `username` <> 'admin' AND `completed` >= '".$dat['min_offers']."' ORDER BY `completed` DESC LIMIT ".$dat['rewards'].")";
    $results=mysql_query($places) or die(mysql_error());

    if ($dat['rewards'] == 1){
    $reward = "".$dat['reward_1']."";
    }
    else if ($dat['rewards'] == 2){
    $reward = "".$dat['reward_1'].",".$dat['reward_2']."";
    }
    else if ($dat['rewards'] == 3){
    $reward = "".$dat['reward_1'].",".$dat['reward_2'].",".$dat['reward_3']."";
    }
    else if ($dat['rewards'] == 4){
    $reward = "".$dat['reward_1'].",".$dat['reward_2'].",".$dat['reward_3'].",".$dat['reward_4']."";
    }
    else if ($dat['rewards'] == 5){
    $reward = "".$dat['reward_1'].",".$dat['reward_2'].",".$dat['reward_3'].",".$dat['reward_4'].",".$dat['reward_5']."";
    }
    else if ($dat['rewards'] == 6){
    $reward = "".$dat['reward_1'].",".$dat['reward_2'].",".$dat['reward_3'].",".$dat['reward_4'].",".$dat['reward_5'].",".$dat['reward_6']."";
    }
    else if ($dat['rewards'] == 7){
    $reward = "".$dat['reward_1'].",".$dat['reward_2'].",".$dat['reward_3'].",".$dat['reward_4'].",".$dat['reward_5'].",".$dat['reward_6'].",".$dat['reward_7']."";
    }
    else if ($dat['rewards'] == 8){
    $reward = "".$dat['reward_1'].",".$dat['reward_2'].",".$dat['reward_3'].",".$dat['reward_4'].",".$dat['reward_5'].",".$dat['reward_6'].",".$dat['reward_7'].",".$dat['reward_8']."";
    }
    else if ($dat['rewards'] == 9){
    $reward = "".$dat['reward_1'].",".$dat['reward_2'].",".$dat['reward_3'].",".$dat['reward_4'].",".$dat['reward_5'].",".$dat['reward_6'].",".$dat['reward_7'].",".$dat['reward_8'].",".$dat['reward_9']."";
    }
    else if ($dat['rewards'] == 10){
    $reward = "".$dat['reward_1'].",".$dat['reward_2'].",".$dat['reward_3'].",".$dat['reward_4'].",".$dat['reward_5'].",".$dat['reward_6'].",".$dat['reward_7'].",".$dat['reward_8'].",".$dat['reward_9'].",".$dat['reward_10']."";
    }

    $rewardsa = explode(",", $reward);
    $i=0;
    $a=1;

    // Offers Contest

    if(time() <= $dat['date_2'] && time() >= $dat['date_1'] && $dat['type'] == offer) {
    print" <table width ='100%'><tr><th align='center'><font size='4'>{$dat['name']}</font></th><th align='right'><font size='1'>".date("m/d/Y h:i A", $dat['date_1'])."-".date("m/d/Y h:i A", $dat['date_2'])."</font></th></tr></table><br />".$dat['desc']."<br /><font size='1' color='white'>You must complete offers worth at least ".$dat['min_points']." points or $".$dat['min_cash']." to count towards contest!<br /><br />
    You must also complete at least ".$dat['min_offers']." offers in order to be eligible for winnings.</font><br /><br />";
    print" <table width ='100%'><tr><th align='left'>Place</th><th align='center'>User</th><th align='right'>Prize</th><th align='right'>Completed</th></tr>";

    if(mysql_num_rows($results == 0)){
    if($dat['r_type'] == points){
    print"  <tr><td align='left'>{$a}</td><td align='center'>......</td><td align='right'>{$rewardsa[$i]} points</td><td align='right'>--</td></tr>";
    }
    if($dat['r_type'] == cash){
    print"  <tr><td align='left'>{$a}</td><td align='center'>......</td><td align='right'>$".$rewardsa[$i]."</td><td align='right'>--</td></tr>";
    }
    $i++;
    $a++;
    }


    while ($place = mysql_fetch_array($results)) {
    if($dat['r_type'] == points){
    print"  <tr><td align='left'>{$a}</td><td align='center'>{$place['username']}</td><td align='right'>{$rewardsa[$i]} points</td><td align='right'>{$place['completed']}</td></tr>";
    }
    if($dat['r_type'] == cash){
    print"  <tr><td align='left'>{$a}</td><td align='center'>{$place['username']}</td><td align='right'>$".$rewardsa[$i]."</td><td align='right'>{$place['completed']}</td></tr>";
    }
    $i++;
    $a++;
    }
    }
    }
    }

    ?>  
    </table>
kira423
  • 325
  • 1
  • 5
  • 26
  • 1
    Please learn about using parametrized queries. You are leaving yourself open to SQL injection. http://bobby-tables.com/php.html tells you how. Also, the `mysql_` functions you are using are deprecated. – Andy Lester Nov 23 '12 at 06:06
  • @AndyLester they are not deprecated just not recommended, and I can't leave myself open to injection if this page is not a form and does not insert anything into the database. I do have functions to help prevent against sql injections in pages that do post information, but that is totally irrelevant to the topic. On a side note I know how to use prepared statements, but this script was not built by me, I am editing it for someone and going through and changing the entire syntax is not happening. – kira423 Nov 23 '12 at 06:13
  • 1
    You *are* open to SQL injection even if the code "does not insert anything into the database." – Andy Lester Nov 23 '12 at 06:19
  • Look, don't argue about this. SQL injection is *serious* business. Any time *any* unescaped variables go into a query you are vulnerable. **Period.** This is not an irrelevant topic. What you're doing here is scary, dangerous, and goes against many best practices. Please **do not** use `mysql_query` in new applications. It takes all of half an hour to [learn PDO](http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/) and it will save you considerable time and frustration in the future if used correctly. – tadman Nov 23 '12 at 06:24
  • From the look of things you should really spend more time reading the PHP documentation. The PHP [`implode`](http://php.net/manual/en/function.implode.php) function would take that gigantic ball of awful in the middle of the snippet here and replace it with one line. How you managed to miss that but still use the `explode` method, which does the exact opposite, is a mystery. – tadman Nov 23 '12 at 06:27

3 Answers3

4

Replace mysql_num_rows($results == 0) with mysql_num_rows($results) == 0 in your code

Ravi
  • 2,078
  • 13
  • 23
4

You should use mysql_num_rows($results) == 0 instead.

akjoshi
  • 15,374
  • 13
  • 103
  • 121
mroytman
  • 41
  • 2
1

This

if(mysql_num_rows($results == 0)){

Should be 

if(mysql_num_rows($results) == 0){
asprin
  • 9,579
  • 12
  • 66
  • 119