How to resolve this? Correct output is not showing. Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, boolean given in C:\xampp\htdocs\sms\admin\upstu.php on line 49

Question

0.00/5 (No votes)

See more:

PHP

<?php
session_start();
if(isset($_SESSION['uid']))
{
echo "";
}
else
{
header('location: ../login.php');
}
?>


<?php
include('header.php');
include('titlehead.php');
?>



<table align="center"><tbody><tr><th>  Enter Standard  </th><td>     </td></tr><tr><th>  Enter Student Name </th><td>  
   </td></tr><tr><td></td><td colspan="2"></td></tr></tbody></table>


<?php
if(isset($_POST['submit']))
{
 	include('../dbcon.php');
 	$standard=$_POST['std'];
 	$name=$_POST['name'];
 	$sql="SELECT * FROM `student` WHERE `standard`='$standard' AND `name` LIKE '%$name%'";
 	$run=mysqli_query($con,$sql);
		
		if( mysqli_num_rows($run)<1 )
 		{
		     echo "";
	    }
		else
	{ 
	$count=0;
 	while($data=mysqli_fetch_assoc($run))
   {
   $count++;
	?>

	    
    <?php
  
}
}
}
?>

What I have tried:

I have tried searching on google. But I got No clues as how to resolve this error. I have tried some other ways too but nothing is working.

HTML

<table align="center" width="80%" border="1" style="margin-top: 10px"><tbody><tr><th>No</th><th>Img</th><th>Name</th><th>Roll No</th><th>Edit</th></tr><tr><td colspan="5">no records found</td></tr><tr>		<td>  <?php echo $count; ?> </td>		<td></td>		<td> <?php echo $data['name']; ?> </td>		<td>  <?php echo $data['rollno']; ?> </td>		<td>  EDIT </td>	</tr></tbody></table>

Posted 31-Mar-18 3:51am

Member 13756122

Updated 31-Mar-18 6:20am

Patrice T

v4

Add a Solution

Comments

[no name] 31-Mar-18 9:55am

Try this: Google[^]

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Patrice T · Answer 1 · 2018-03-31T04:28:00

Solution 1

PHP

$sql="SELECT * FROM `student` WHERE `standard`='$standard' AND `name` LIKE '%$name%'";

Not a solution to your question, but another problem you have.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
SQL Injection Prevention Cheat Sheet - OWASP[^]

Posted 31-Mar-18 4:28am

Patrice T

Comments

[no name] 31-Mar-18 10:56am

Sorry, don't see in the code where he is concatenating the SQL. More I'm missing the part where he correctly defines/sets the Parameter :-)

Please do yourself a favor and don't post template answers where it does not fit ;)

OriginalGriff 31-Mar-18 11:24am

Sorry, but PHP is nasty in that regard:

$sql="...$standard...";

includes the content of the variable $standard in the string itself - that is the concatenation ppolymorphe was talking about.

[no name] 31-Mar-18 11:26am

Thank you sir.

OriginalGriff 31-Mar-18 11:35am

You're welcome!

Patrice T 31-Mar-18 11:58am

Thank you for the defense.

Patrice T 31-Mar-18 11:56am

Hi,
thank you for this message, I prefer such a comment where one can argue or explain things, rather than an anonymous downvote.
As OG already said, php is nasty.
I hope you don't mind standard answers, SQL injection is so common!

[no name] 31-Mar-18 12:06pm

I learned once again: Don't answer/comment a Thing about which you are not safe about it.

Sorry for that!

Patrice T 31-Mar-18 12:14pm

You are welcome.
I still learning too.

OriginalGriff 31-Mar-18 12:09pm

I didn't say "PHP is nasty".

I just thought it... :laugh:

[no name] 31-Mar-18 12:12pm

You wrote it ;p

OriginalGriff 31-Mar-18 12:22pm

That's called "taking a quote out of context" and is generally frowned upon.

[no name] 31-Mar-18 12:24pm

You will now Report me as abuse ? :(

OriginalGriff 31-Mar-18 13:21pm

Why would I do that? :laugh:
Have you done something abusive I don't know about?

Patrice T 31-Mar-18 12:17pm

My apologize for cutting the quote :)

OriginalGriff 31-Mar-18 12:23pm

No problem - it's exactly what I was thinking! :laugh: