How to query database for an IP - Error

Question

I am trying to make it so that if their IP is in the database then they can't send an email. In the php54_errors file it says

[30-Dec-2012 18:25:26 Europe/Dublin] PHP Warning:  mysql_num_rows() expects parameter 1 to be resource, string given in C:\inetpub\wwwroot\Submit.php on line 6
[30-Dec-2012 18:25:26 Europe/Dublin] PHP Warning:  mysql_num_rows() expects parameter 1 to be resource, null given in C:\inetpub\wwwroot\Submit.php on line 7

My PHP code is this

<?php
include("connect.php");
mysql_select_db("ip", $con);
$ip = mysql_real_escape_string($_SERVER['REMOTE_ADDR']);
$query = "SELECT * FROM ip WHERE ip='$ip'";
$result = mysql_num_rows($query);
if (mysql_num_rows($result) > 0) {
    echo "You have already registered!";
}
else { 
    echo"Your request has been sent!";
    $to = "admin@prisoneternity.org.uk";
    $subject = "Guard Application";
    $from = "guardapplication@prisoneternity.org.uk";
    $headers = "From:" . $from;
    $message = "IGN = " . $_POST["Username"] . "</br>\n\nage = " . $_POST["age"] . "</br>\n\nreason = " . $_POST["reason"] . "</br>\n\nHow many times have they been guard = " . $_POST["guard"] . "</br>\n\nOther Details = " . $_POST["text"];
    mail($to,$subject,$message,$headers);
    header ("Location: index.php?email=yes");
    session_start();
    mysql_query("INSERT INTO ip (IP) VALUES ('$ip')");
}
?>

Answer 1

On the second line, mysql_num_rows is returning an integer because the $result variable is already calling the function, if that makes sense. Change it to this:

$result = mysql_num_rows($query);
if ($result > 0) {

Also, you're not running the query:

$query = "SELECT * FROM ip WHERE ip='$ip'";

Change the above line to this:

$query = mysql_query("SELECT * FROM ip WHERE ip='$ip'");

On a side note, mysql_* functions are deprecated. I'd switch to PDO or MySQLi — examples can be found in the PHP Manual.

Answer 2

$result = mysql_num_rows($query);
if (mysql_num_rows($result) > 0) {

should be:

$result = mysql_query($query);
if (mysql_num_rows($result) > 0) {

You were not running the mysql_query(), instead calling mysql_num_rows() twice. Simple accident =o) Btw you should be using PDO or MySQLi.

Also:

echo"Your request has been sent!";
$to = "admin@prisoneternity.org.uk";
$subject = "Guard Application";
$from = "guardapplication@prisoneternity.org.uk";
$headers = "From:" . $from;
$message = "IGN = " . $_POST["Username"] . "</br>\n\nage = " . $_POST["age"] . "</br>\n\nreason = " . $_POST["reason"] . "</br>\n\nHow many times have they been guard = " . $_POST["guard"] . "</br>\n\nOther Details = " . $_POST["text"];
mail($to,$subject,$message,$headers);
header ("Location: index.php?email=yes");
session_start();
mysql_query("INSERT INTO ip (IP) VALUES ('$ip')");

Should be:

$to = "admin@prisoneternity.org.uk";
$subject = "Guard Application";
$from = "guardapplication@prisoneternity.org.uk";
$headers = "From:" . $from;
$message = "IGN = " . $_POST["Username"] . "</br>\n\nage = " . $_POST["age"] . "</br>\n\nreason = " . $_POST["reason"] . "</br>\n\nHow many times have they been guard = " . $_POST["guard"] . "</br>\n\nOther Details = " . $_POST["text"];
mail($to,$subject,$message,$headers);
//header ("Location: index.php?email=yes");
session_start();
echo"Your request has been sent!";
mysql_query("INSERT INTO ip (IP) VALUES ('$ip')");

You can not echo content before header() or session_start(), also the echoed text will not be seen as you are doing a redirect. You need to choose which one you want to do. I commented out the header() above but you can do the opposite. Also make sure you sanitize ALL $_POST values for \r and \n characters to prevent mail header injection attacks.