Link to home
Create AccountLog in
Avatar of psimation
psimationFlag for South Africa

asked on

mysql_affected_rows / mysql_num_rows

HI Experts

OK, so I am a bit baffled now:

I know that when using a SELECT statement, I should use mysql_num_rows to determine if the resultset contains any rows, but here is what is baffling me:

It seems that while I was a bit absent minded, I produced the following code, and only saw it now when I re-examined some other code. What baffles me is that this code snippet is producing the expected results, even though it shouldn't!

Am I missing something? Maybe my code only "works" because I made two mistakes and somehow, in this case, two wrongs are in fact making a right?

function myDBValidationFunction($ajax)
{
$objResponse7 = new xajaxResponse(); 
 
$link = mysql_connect("myserver:3307", "user","pass");        
mysql_select_db("DB");
$username = mysql_real_escape_string($ajax[username]);
$password = mysql_real_escape_string($ajax[password]);  
 
$sql = "select * from users where username = \"$username\" and password = \"$password\" ";
$result = mysql_query($sql);     
if (mysql_affected_rows()){
$_SESSION[authed] = "true";
$myrow = mysql_fetch_assoc($result);
$_SESSION[name] = $myrow[name];
$_SESSION[uid] = $myrow[id];
$_SESSION[level] = $myrow[level];
$objResponse7->loadCommands(myDBReadFunction());
} elseif(mysql_affected_rows() == "0") {
$_SESSION[authed] = "false";
$objResponse7->loadCommands(myDBLoginFunction());	
}
return $objResponse7;
}

Open in new window

Avatar of Guy Hengel [angelIII / a3]
Guy Hengel [angelIII / a3]
Flag of Luxembourg image

mysql_num_rows is ONLY for SELECT.
mysql_affected_rows is for UPDATE, DELETE, INSERT
so, your code should read:
function myDBValidationFunction($ajax)
{
$objResponse7 = new xajaxResponse(); 
 
$link = mysql_connect("myserver:3307", "user","pass");        
mysql_select_db("DB");
$username = mysql_real_escape_string($ajax[username]);
$password = mysql_real_escape_string($ajax[password]);  
 
$sql = "select * from users where username = \"$username\" and password = \"$password\" ";
$result = mysql_query($sql);     
if (mysql_num_rows() > 0){
  $_SESSION[authed] = "true";
  $myrow = mysql_fetch_assoc($result);
  $_SESSION[name] = $myrow[name];
  $_SESSION[uid] = $myrow[id];
  $_SESSION[level] = $myrow[level];
  $objResponse7->loadCommands(myDBReadFunction());
} else {
  $_SESSION[authed] = "false";
  $objResponse7->loadCommands(myDBLoginFunction());      
}
return $objResponse7;
}

Open in new window

Avatar of psimation

ASKER

Hi Angelllllllll ;)

Yes, I realise that, but what I'm asking is WHY is my obviously erroneous code working???

Is my code currently making another "mistake" that somehow makes it work even though I'm using the wrong function?
you must have some UPDATE/INSERT/DELETE before the SELECT? ...
If you want to dig, you should display the values for both mysql_num_rows() and mysql_affected_rows(), it might help finding which queries were causing the data.
Hi Fibo

OK, firstly, just for clarification, I don;t have mysql_num_rows() anywhere in my code - although I know that it is supposecd to be the correct function to use.

angelll;

I don;t have any other sql executions before the call to that function.

I tested to make sure that it might not simply be that the $_Session[authed] may stay resident, but after flushing the session vars, opening a new browser and testing from scratch, the function still works WITH mysql_affected_rows(). When I use a wrong username/password, it correctly throws the user back to the login function, showing me that it has stepped through the if statement correctly and called the login function instead of the display function. ( note I specifically used a elseif with a set condition of == "0" to make sure that it does not simply redirect the user to the login...

When I use the correct username and password, it correctly steps into the if and calls the display function, meaning that the mysql_affected_rows() returned  a number greater than 0...

Psimation:

There are 2 aspects to your questions:
- "what should I use?" And you know the answer: use mysql_num_rows() since you know this is the correct solution, and the one which is "guaranteed" to work in whichever version of Linux / Windows, php and mysql.

- "isn't it funny it is working and why?" and this is a brain challenge "for the fun".
Since your program finds that mysql_affected_rows() has a value, something you did not expect,... display this value so that you get a better appreciation of what is happening; at the same time, display the value expected to be correct, ie mysql_num-rows(). Whether these values are the same or different, this will help you to better find the cause.
Hi Fibo

I completely understand what you are saying; I did the "test", and both mysql_affected_rows() and mysql_num_rows($result) return the same result when either the correct details are used (1), or when I use wrong details (0)

Are there any "special" circumstances where mysql_affected_rows could return results from a SELECT statement?

Again, there is NO update/insert/replace etc statement possible before this code runs...

For me the "why is it working" is not simply a little brain teaser - I'm concerned, as stated before, that the unexpected results could be as a result of errors or logic problems in my routine - which could cause security issues further down in my application.

My page loads the "myDBLoginFunction" onLoad, and that simply is a form with two fields that is intercepted and sent to the function I posted on an onclick event. There is nothing else I can think of that could cause mysql_affected_rows to return a value other than if I'm making the wrong assumption about mysql_affected_rows, and there are in fact circumstances where it could display results from a select?

I don't know, hence my post here.

ASKER CERTIFIED SOLUTION
Avatar of Guy Hengel [angelIII / a3]
Guy Hengel [angelIII / a3]
Flag of Luxembourg image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.