Hep with deprecated php

General PHP Help
#1 
<?php

function NumRows($q) {
	if (strpos('GROUP BY', $q) === FALSE) {
		$q = preg_replace("/SELECT(.+?)FROM/", 'SELECT COUNT(*) FROM', $q);
		$res = @mysql_query($q) or die("error: table not found");
		$row = mysql_fetch_row($res);
		mysql_free_result($res);
		return $row[0];
	} else {
		$res = mysql_query($q);
		$nr = mysql_num_rows($res);
		mysql_free_result($res);
		return $nr;
	}
}

?>

This code return a warning when used with php version 5.6 or higher.

I would appreciate some help.

Thanks.

#2

That is seriously obsolete and one should never use @ to suppress errors. Take a look at https://phpdelusions.net/pdo or any CURRENT tutorial that deals with PDO (My recommendation) or mysqli.

#3

What strider64 said; the mysql_ functions are all obsolete. It’s fairly straightforward to swap them for mysqli_ functions; PDO is a little more involved but generally considered to be the current standard.

You should also consider whether this is the right approach in general; this function will return weird results for most GROUP BY queries.

some_field | some_other_field
a          | 10
a          | 14
b          | 12
c          | 19
c          | 19
c          | 12
c          | 14

SELECT some_field, count(*) as num_results FROM some_table GROUP BY some_field;

The above query, running on the above table, would return:

some_field | num_results
a          | 2
b          | 1
c          | 4

Although not necessarily in that order. For that same query, your function would return either 1, 2, or 4 depending on what order the results were returned in. If you want to get counts from the database, you’d be better off explicitly building the new query and sending that.

#4

Because the mysql_ extension broke function scope (the last connection made is globally available) and because magic_quotes has also been removed from php, eliminating some of the security for string data values breaking sql query syntax, updating old code requires more than just getting code to work without producing errors. In addition to updating the database extension being used, you need to go through every query that has external, unknown, dynamic data being put into it to insure that it is secure for all types of data.

The best, fool-proof way of insuring that any external, unknown, dynamic data values cannot break the sql query syntax, for all types of data, is to use a prepared query. This involves removing the variables holding the data values from the sql query statement, along with any single-quotes around the values, any {} that may be around the variables, and any concatenation dots, replacing each value in the sql query statement with a ? place-holder, preparing the sql query, and then supplying the actual data values when the query gets executed. You can then write a general query method/function, that accepts the sql query statement and an optional 2nd call-time parameter consisting of an array of the input values. If the 2nd parameter is missing, the code would just use a normal, non-prepared query to directly execute the sql query statement. If the 2nd parameter is used, the code would prepare the sql query statement, then supply the input values when the query gets executed. If you switch to the much simpler PDO extension, doing this is easy, since you can just supply the array of input values directly to the ->execute(…) call. You can also supply an empty array to the ->execute(…) call, so that any dynamically built sql query statements, that may end up without any values being put into them, will work without additional handling.

Approximately how many total mysql_* statements are there and how many mysql_query() statements are in the code making up the project?

1 Like
Help saving this great old script
Sponsor our Newsletter | Privacy Policy | Terms of Service