When I run my code I'm facing the next 2 errors:
mysql_num_rows() expects parameter 1 to be resource, boolean
That happens at rare lines of the file. Rest of them works just fine.
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 't '' at line 1
Yes, Its vulnerable, I see. Its probably some weird charecters making up the issue, but I can really edit them, because I save the words to the db for md5ing them.
I assume mysql_real_escape_string will add some slashes which will give me another md5 value. So how can I not edit the datas and get the script secure at the same time?
require ("dbconnect.php");
$list = fopen("huge.txt","r");
//convert and save to db
while(!feof($list))
{
$word = fgets($list);
//check if already in db.
$check = mysql_query("SELECT id FROM `database` WHERE word='$word'") or
die(mysql_error());
if (mysql_num_rows($check)==0)
{
//rest of the codes
I added die() just for me to see whats wrong.
For question 1 you should simply, not pass any argument to the mysql_num_rows() if you only have one database connection.
For question 2, the escaped version should not produce a different hash as long as it has been saved to the database, and then pulled from the database again. Once an escaped string is saved to the database, the saved version effectively loses the escape characters. This is why you do not see "they\'re" for example, when you pull escaped values from the database.
Basically, when you initially create the hash, you should use a non-escaped version of the string for the hash input, then escape the plaintext version which can then be saved to the database. You can then pull the plaintext version from the database at any time, rehash, and it should create a matching hash value.