1

I would like to get the number of rows that satisfies the condition.

mysql_query("SELECT COUNT(*) FROM sid WHERE sid='".session_id()."'");

this one ignores the condition.

update:

$session = session_id();
$sql = "SELECT COUNT(*) as row_count FROM sid WHERE sid = '$session' ";
var_dump($r = mysql_query($sql));//resource(4) of type (mysql result) (1)
var_dump(mysql_fetch_assoc($r));
//array(1) { ["row_count"]=> string(1) "1" }  - this result is OK(2)

(1) resource(4) - I thought that 4 was the count

(2) mysql_real_escape_string($_SESSION['id']); gives 0

note:

I have changed from mysql_num_rows to this type of getting count because I thought it will return immediately the count and I dont have to write more lines to get this basic data.

Improve this question
8
  • 1
    Well it shouldn't - why are you so sure it does? Commented Nov 17, 2011 at 10:33
  • 1
    Somewhat unrelated: if the session_id() can be manipulated by the user in anyway (i.e. comes from a cookie or URL parameter - not a PHP specialist), this code is vulnerable to SQL injection and should be fixed. Commented Nov 17, 2011 at 10:36
  • @Romain you make a valid point, although I think that PHP is intelligent enough to spot this/will not allow it anyway, as (at least) '; are not valid characters in a session id, and if you send an invalid session id, a call to session_start() will create a new session and generate a new id. Still +1 for your comment, though, as I'm not 110% sure about this. Commented Nov 17, 2011 at 10:46
  • @DaveRandom, the ; is not a possible vector for SQL-injection attacks. mysql_query does not allow multiple queries, the XKCD is incorrect and that attack is impossible. What is possible is a ' or (1=1) UNION SELECT username, password, email FROM users -- kind of injection. Of course ' can be encoded in clever ways. You should never rely on internals, but just escape everything before injecting it into the SQL-statement. Commented Nov 17, 2011 at 10:54
  • @Johan Fair enough - I am not that hot on exactly what SQL injection attacks are possible for any given query, so I tend to just escape everything (to a possibly unecessary level) but it's nice to see that some people have a clue what's going on... Commented Nov 17, 2011 at 11:00

3 Answers 3

Reset to default
2

The correct way of doing this is:

$session = mysql_real_escape_string($_SESSION['id']);  <<-- Get the session id
echo "debug: session_id = ".htmlentities($session);
$sql = "SELECT count(*) as row_count FROM tablename WHERE sid = '$session' ";
$result = mysql_query($sql);
if (!$result) {
  die('error in query '.$sql.' error is: '.mysql_error());
}
//we only have 1 result
$row = mysql_fetch_array($result);
//always sanitize so you don't suffer XSS attacks when the query changes   
//and the $row['x'] changes from an integer to a user-supplied string.
$count = intval($row['row_count']);  
echo "count is: ".$count;

The table name and the column name can be the same, but in your case they probably are not.
sid obviously stands for the field "session_id", so you need to replace the first sid after FROM with your tablename.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

+1 ...and then (for clarity) $result = mysql_query($sql); $row = mysql_fetch_assoc($result); $count = $row['row_count'];
0

table name = "sessions"

column name = "sid"

mysql_query("SELECT COUNT(*) FROM sessions WHERE sid='".session_id()."'");
Improve this answer

Comments

0

first write your query in php variable and echo it to check what session_id() returns and then try may be there is nothing in your session_id(); like

$sql = "SELECT COUNT(*) FROM sid WHERE sid='".session_id()."'";
echo $sql;

and run it in phpmyadmin if it work than your query is qrite else something is wrong

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.