Hello everybody,
first let me say I am a noobie in php. Nevertheless, I had a script that was working (and still is) fine on my old host.

Script was as follows:
Page1
1) page was loading with a preview of some articles, coming from a table in a database.
2) there was a link created with $id for each article to click on and move to page2

Page2
1) when user was clicking on article with $id=5 for example, s/he was transferred to a page www.mysite.com/articleid.php?id=5.
2) there, s/he could read full article.

Pretty basic stuff one would say.

HOWEVER

Since I've moved hosts, the script is no longer working.
When putting the mouse over the link I can see on status bar of IE (or firefox) the link appearing correctly (i.e. $id has a number).
However, when I click on the link and I am transferred to Page2 I get error
Warning: mysql_numrows(): supplied argument is not a valid MySQL result resource in bla bla bla

I am completely puzzled and don't know what to do. I've spent 5 days reading on the net, but I keep turning in rounds.
Please help me.

I hereby attach the coding of the pages:




Page 1.php


<? require("/path/to/database/connect.php");





$query="SELECT * FROM table ORDER BY Date Desc, ID DESC";
$result=mysql_query($query);

$num=mysql_numrows($result); 

mysql_close();

?>


<?
$i=0;
$ID=mysql_result($result,$i,"ID");
$Category=mysql_result($result,$i,"Category");
$Title=mysql_result($result,$i,"Title");
$Picture=mysql_result($result,$i,"Picture");
$Picturetext=mysql_result($result,$i,"Picturetext");
$Preview=mysql_result($result,$i,"Preview");
$Fullview=mysql_result($result,$i,"Fullview");
$Author=mysql_result($result,$i,"Author");
$Date=mysql_result($result,$i,"Date");
?>


<table style="BORDER-COLLAPSE: collapse" borderColor="#cccccc" cellSpacing="0" width="100%" align="center" border="0">
  <tr>
    <td width="100%" bgColor="#000000" height="30">


<b>
<a href="<? echo "http://www.mysite.com/articleid.php?ID=$ID"?>" target="_top" style="font-family: Verdana, sans-serif; font-size: 10pt; color=#ffffff" "text-decoration: none"><? echo "$Title"; ?></a>
</b>
<hr>
  <tr>
    <td bgColor="#000000" style="font-family: Verdana, sans-serif; font-size: 8pt; COLOR=#ffffff">


      <? echo "<img border='1' src='$Picture' align='right' width=110 height=110 alt='$Picturetext'  COLOR='#0000ff' HSPACE=5 VSPACE=5>"; ?>
<? echo "$Preview"; ?> 


</font>
<span style="font-size: 8pt"><i>


<a href="<? echo "http://www.mysite.com/articleid.php?ID=$ID"?>" target="_top"><? echo "Read more"; ?></i></a>

</span></td>
  </tr>
</table>
<p>

and


Page2.php

<?

require("/path/to/database/connect.php");




$query="SELECT * FROM table WHERE ID=$ID";
$result=mysql_query($query);

$num=mysql_numrows($result); 

mysql_close();

?>


<?
$i=0;
while ($i < $num) {
$ID=mysql_result($result,$i,"ID");
$Title=mysql_result($result,$i,"Title");
$Preview=mysql_result($result,$i,"Preview");
$Picture=mysql_result($result,$i,"Picture");
$Picturetext=mysql_result($result,$i,"Picturetext");
$Fullview=mysql_result($result,$i,"Fullview");
$Author=mysql_result($result,$i,"Author");
$Email=mysql_result($result,$i,"Email");
$Date=mysql_result($result,$i,"Date");

?>

<font face="Verdana">



<center>
            <table border="1" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="99%" id="AutoNumber24">
              <tr>
                <td width="100%"  height="30" bgcolor="#CCCCCC">





<? echo "<b><center><font size=H1>$Title</font></center></b>"; ?>






</td>
              </tr>
            </table>
            </center>


<p>

<? echo "<img border='1' src='$Picture' align='right' width=150 height=150 alt='$Picturetext'  COLOR='#0000ff' HSPACE=5 VSPACE=5>"; ?>
<? echo "$Preview"; ?><br><br>
<? echo "$Fullview"; ?><br><br>
<a href="mailto:<? echo "$Email"; ?>"><? echo "$Author"; ?></a><? echo ", $Date"; ?>
</font>

<?

$i++;
}



?>

Any idea what is wrong?
Many thanks,
pipo

    You should print the failed query. My guess is that your new server has register_globals = off

    also I'll note that your url has id where your code has $ID

    So before referencing $ID on your new server, you need to add a line
    $ID=$_GET['id'];

      Also note that your script is vulnerable to SQL injection attacks. User-supplied data should never be placed directly into a SQL query; instead it should first be sanitized with a function such as [man]mysql_real_escape_string/man. Note that [man]intval/man (or casting $_GET['id'] to an integer) would be a better solution in this case if 'id' is an AUTO_INCREMENT column, for example.

      In addition, code such as:

      $ID = $_GET['id'];

      is generally considered sloppy - what if $_GET['id'] doesn't exist? You should first check to see that the incoming variable in question is set (e.g. with [man]isset/man or [man]empty/man) before you simply use it in your code.

        You guys are great.
        It was the register_globals issue. You must have experience to think of this I guess...

        Anyway, the script is now working thanks to you, but I am a little worried about security, thanks to bradgrafelman hahaaha. I've read the link you gave me, but it is pretty complicated to me.

        Can you help me recode the script or walk me through it because I don't fully understand what I'm supposed to do...

        Thanks again!

        pipo

          Essentially, you simply need to pass all incoming data (e.g. that from $GET, $POST, $_COOKIE, etc.) through [man]mysql_real_escape_string/man instead of simply inserting the data into a query. Example, this code:

          $query = "SELECT foo FROM bar WHERE foobar = '" . $_POST['foobar'] . "'";

          should be:

          $query = "SELECT foo FROM bar WHERE foobar = '" . mysql_real_escape_string($_POST['foobar']) . "'";

          If you have a lot of variables, I find that using [man]sprintf/man makes your code look a bit nicer:

          $query = sprintf("INSERT INTO myTable (fname, lname, nickname, age) VALUES ('%s', '%s', '%s', %d)",
    mysql_real_escape_string($_POST['fname']),
    mysql_real_escape_string($_POST['lname']),
    mysql_real_escape_string($_POST['nickname']),
    $_POST['age']);

          Note that no escaping was needed for $_POST['age'] since the '%d' format automatically forces the data to be a numeric type (thus malicious users can't inject non-numeric data through that variable).

          If you search the web (or even this forum) for SQL injection, you should find a plethora of information.

            Write a Reply...