Home/ Questions/Q 6974927
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T17:18:03+00:00

I have no idea about PHP security, but if I add an ‘ to

  • 0

I have no idea about PHP security, but if I add an ' to the input in my POST method form.

I’m getting the following message: 

Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /usr/local/www/login.php

Is that a SQL injection? If so, how it can be abused by the “hackers” ?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    That means you’re vulnerable to SQL injection, and your code is not doing sufficient checking for errors.

    An absolute barebones “safe” bit of code would be:

    <?php
... connect to db ...
$stringval = mysql_real_escape_string($_GET['param']);
$sql = "SELECT somefield FROM sometable WHERE otherfield='$stringval'";
$result = mysql_query($sql) or die(mysql_error());

    better yet is to stop using the mysql functions and switch to PDO and parameterized queries. They handle the injection problems for you automatically.

    The root cause of your error message is that your query has caused a syntax error. When a query fails outright like that, mysql_query() returns a boolean FALSE value, not a statement handle.

    Since you lack any kind of error checking, you blindly took that boolean false and passed it on to the fetch function, which has rightfully complained that you didn’t provide a result handle.

    • 0