Keywords: PHP | MySQL | Error Handling | SQL Injection | Database Security
Abstract: This article provides an in-depth analysis of the common error in PHP where mysql_fetch_array() expects a resource parameter but receives a boolean. Through practical code examples, it explains that the root cause lies in SQL query execution failures returning FALSE instead of result resources. The article offers comprehensive error diagnosis methods, including using or die() statements to capture specific error information, and discusses common problem scenarios such as SQL syntax errors and non-existent fields. Combined with SQL injection case studies, it emphasizes the importance of parameter validation and error handling in web application security.
Error Phenomenon and Cause Analysis
In PHP development using MySQL extensions, developers often encounter the following warning message: mysql_fetch_array() expects parameter 1 to be resource, boolean given. This error indicates that the mysql_fetch_array() function expects to receive a query result resource but actually receives a boolean value (typically FALSE).
From the provided code example, we can see the root cause lies in the failure of the mysql_query() function:
$query = "SELECT ListNumber FROM residential";
$result1 = mysql_query($query);
if (mysql_num_rows($result1) >10){
$difference = mysql_num_rows($result1) - 10;
$myQuery = "SELECT * FROM `residential` ORDER BY `id` LIMIT 10,". $difference;
$result2 = mysql_query($myQuery);
while ($line = mysql_fetch_array($result2, MYSQL_BOTH))When the $myQuery query fails, mysql_query($myQuery) returns FALSE instead of the expected result resource. Passing this value directly to mysql_fetch_array() triggers the aforementioned warning.
Error Diagnosis and Solutions
To accurately diagnose such issues, the following method is recommended:
$result2 = mysql_query($myQuery) or die($myQuery."<br/><br/>".mysql_error());This approach immediately terminates script execution when a query fails and outputs the specific SQL query statement along with MySQL error information. By analyzing the error message, developers can quickly identify the problem source.
Common causes include:
- SQL syntax errors: Missing quotes, mismatched parentheses, etc.
- Non-existent fields: ORDER BY clause referencing non-existent columns
- Table or column name spelling errors
- Database connection issues
SQL Injection Security Considerations
The SQL injection case study from the reference article further illustrates the security risks associated with such errors. When user input is directly concatenated into SQL queries without proper sanitization, attackers can manipulate query logic by constructing special inputs.
For example, in URL parameter injection scenarios:
http://website.tld/product.php/id=1234'
http://website.tld/product.php/id=1234 AND 1=1
http://website.tld/product.php/id=1234 AND 1=2These injection attempts may cause query failures, returning FALSE values and subsequently triggering the same mysql_fetch_array() parameter error. More seriously, successful SQL injection can bypass authentication, leak sensitive data, or compromise database integrity.
Best Practice Recommendations
To avoid such errors and enhance code security, we recommend:
- Use Parameterized Queries: Adopt prepared statements (such as PDO or MySQLi) to effectively prevent SQL injection
- Comprehensive Error Handling: Implement appropriate error checking and handling for all database operations
- Input Validation: Apply strict validation and filtering to all user inputs
- Use Modern Extensions: Consider migrating to PDO or MySQLi extensions for better security and functionality
- Detailed Logging: Maintain logs of database errors for subsequent analysis and debugging
By following these best practices, developers can not only avoid mysql_fetch_array() parameter errors but also significantly improve application security and stability.