What is a promise in Javascript?

Question

J. Mick

Asked: 2020-09-24 11:33:40 +0800 CST 2020-09-24 11:33:40 +0800 CST 2020-09-24 11:33:40 +0800 CST

How to display result rows safely using object oriented mysqli?

772

A. Cedano said in a comment that I don't particularly like num_rowsto know if there are rows in a result, sometimes it's not sure, and there are other better ways to know... but this is beside the point now, or maybe it is?

There is a question and an answer HERE but in PDO

I have two examples where I use num_rowsbased on the security that A. Cedano mentions and that there are other ways to know.

How can I display result rows safely using object oriented mysqli

What are the other better ways to find out?

examples

In the following code I use a num_rows;to check if record exists or not to insert or update.

  $result = $con->prepare("SELECT attempts FROM failed_attempt WHERE ip=? AND datetime BETWEEN DATE_SUB( NOW() , INTERVAL 1 DAY ) AND NOW()");

  $result->bind_param("s",$addres);
  $result->execute();
  $result->store_result();

  //Variable para saber si existe registro o no para insert o update.
  $check_result = $result->num_rows;
  if ($result->num_rows===1) { 
    //Obtenemos datos para comparar intentos y para resetear intentos por su ultimo fecha.
    $result->bind_result($failed_login_attempt);
    $result->fetch();
    $result->close();
  } else {
    $result->close();
    $failed_login_attempt=0;
  }

In the code below I fetch the entered user, and also use anum_rows;

  if(count($_POST)>0 && $captcha == true) {
    $username = $_POST["username"] ?: '';
    $password = $_POST["password"] ?: '';    
//Buscar usuario ingresado - INICIO
$sql = $con->prepare("SELECT id_user,username,password,logindatetime, CASE WHEN logindatetime BETWEEN DATE_SUB( NOW() , INTERVAL 2 MINUTE ) AND NOW() THEN '1' ELSE '0' END as logueado FROM users where username=? AND active=? LIMIT 1");
$sql->bind_param("si",$username,$active);
$active=1;
$sql->execute();
$sql->store_result();
if ($sql->num_rows===1) {
    $sql->bind_result($id_userBD,$usernameBD,$passwordDB,$logindatetime,$activeBD);
    if ($sql->fetch()){
        if (password_verify($password, $passwordDB)) {
            $check_password = true;
        } else {
            $check_password = false;
        }
    } $sql->close();
  } else {
    $sql->close();
    $check_password = false;
  }

3 Answers

Voted

Diablo · Answer 1 · 2020-09-24T12:47:48+08:00

If you are looking for an alternative, to avoid num_rows, you could use fetch().

An alternative example:

//Sentencia.
$result = $con->prepare("SELECT attempts FROM failed_attempt WHERE ip=? AND datetime BETWEEN DATE_SUB( NOW() , INTERVAL 1 DAY ) AND NOW() LIMIT 1");
$result->bind_param("s",$addres);
$result->execute();
//Vincula variables a una sentencia preparada para el almacenamiento de resultados
$result->bind_result($failed_login_attemptBD);
//Obtiene los resultados de una sentencia preparadas en las variables vinculadas.
if ($result->fetch()) {
    //Iniciamos variable existe fallo.
    $check_result=1;
    //Obtenemos datos para comparar intentos y para resetear intentos por su ultimo fecha.
    $failed_login_attempt = $failed_login_attemptBD;

} else {
    //Reseteamos fallos.
    $check_result=0;
    $failed_login_attempt=0;
 }
 $result->close();

Note: safety wise I don't know if there is any difference or if it is better num_rowsorfetch()

Second example:

Now, if you look closely at your statement at the end it puts LIMIT 1, that is, the number of records to return, in your case it can only be 0or 1.

LIMIT – Used to limit selections of data from a database MySQL.

If you only need a specified number of rows from a result set, use a clause LIMITin the query instead of searching the entire result set and discarding the extra data.

The clause makes it LIMITeasy to code multiple pages of results or pagination with SQL, and is very useful on large tables. Returning a large number of records can have a performance impact.

Conclusion, in principle it should not give you problems if ($result->num_rows===1) {since you use 1 record as a limit in your sentence.

Manual Limit Query Optimization

Logic:

If it were logical, in your statement usersthat you do not use LIMIT 1, which I personally would add, in your statement you would buy where you username( FROM users where username=?), if you Base de datosare created correctly, said field should be unique, that is, unique, there cannot be more than two , in principle you num_rowsshould not fail either, since your comparison must check a single field and it will hardly find two equal records, the same email account, it should be unique.

A. Cedano · Answer 2 · 2020-09-27T07:38:17+08:00

Indeed, the comment:

I don't like num_rows to know if there are rows in a result, sometimes it's not sure, and there are other better ways to know...

is of my authorship.

Perhaps there is a confusion with the term safe used in my comment, which in that context, means that num_rowsit doesn't always report the number of actual rows in a result set. That is, it is not certain that the value returned by num_rowsis exactly the total number of rows. Now I understand that I should have used the term is not exact instead of not sure .

My statement in that case does not refer to the vulnerability of the code, which does not depend on the use of num_rows, but on the way the query is sent to the database.

Why `num_rows`is it not safe, that is, why is it not accurate?

The three points I support are stated in the PHP Manual itself :

Because it depends on whether buffered or unbuffered results are used

The behavior of mysqli_num_rows() depends on whether buffered or unbuffered resultsets are used. In case of using them without buffer, it will mysqli_num_rows()not return the correct number of rows until all the rows of the result have been retrieved.

If we check the source code we will see that it is like this:

if (mysqli_result_is_unbuffered_and_not_everything_is_fetched(result)) {
    php_error_docref(NULL, E_WARNING, "Function cannot be used with MYSQL_USE_RESULT");
    RETURN_LONG(0);
}

Because the return type (integer or string) depends on the number of rows returned

If the number of rows is greater than the maximum value of PHP_INT_MAX, the number will be returned as a string.

According to this Manual comment

It doesn't work when used together with LIMITand SQL_CALC_FOUND_ROWS.

What alternatives are there for `num_rows`?

Alternative 1

If all you need is to know how many rows there are, the best way is to do this query:

SELECT COUNT(*) FROM tabla WHERE condicion;

Alternative 2

If, apart from knowing the number of rows, you need the information of the columns, you can do the normal query:

SELECT col1, col2, col3 FROM tabla WHERE condicion;

Then, you store the results in an associative array and count the rows applying countto the obtained array.

test code

Let's see a test code with part of the statement.

Reading the var_dumpand the results, we will see that num_rows it is not always exact.

VER DEMO

<?php
/**
* Ejemplo con Mysqli 
* 
* Notas:
*    1.  Los require son propios de este ejemplo 
*    2.  Todo lo relativo a  la base de datos en sí y la consulta son propios de este ejemplo
*/
require_once "dBug!.php";
require "util/public_db_info.php";
$db = new mysqli($host_name, $user_name, $pass_word, $database_name, $port);

/*Esta es la mejor forma si lo único que se quiere es el total de filas*/
$sqlMejor="SELECT COUNT(*) total FROM books";
$resMejor = $db->query($sqlMejor);

echo "<pre>";

if ($resMejor)
{
    while($row = $resMejor->fetch_object())
    {
        $intTotal = $row->total;
    }

    echo "SI SÓLO QUEREMOS EL TOTAL DE FILAS:\n\n";
    echo "El var_dump se muestra  así:\n\n";
    var_dump($resMejor);

    echo "\nTotal filas usando COUNT(*): " .$intTotal."\n";
}
/* Consulta */
$sql = "SELECT * FROM books";   

/* Se envía la consulta y se almacena en variables */
$resConBuffer = $db->query($sql);
$resSinBuffer = $db->query($sql, MYSQLI_USE_RESULT);





if ($resConBuffer)
{
    echo "\nCONSULTA SIN BUFFER:\n\n";
    echo "El var_dump se muestra  así:\n\n";
    var_dump($resConBuffer);
    echo "\nTotal filas usando num_rows antes de leer: ".$resConBuffer->num_rows."\n";

    while($row = $resConBuffer->fetch_assoc())
    {
        $arrConBuffer[] = $row;
    }
    echo "Total filas usando num_rows después de leer: ".$resConBuffer->num_rows."\n";
    echo "Total filas contando los datos mismos: ".count($arrConBuffer)."\n";

    /* liberar el conjunto de resultados */
    $resConBuffer->free();
}

if ($resSinBuffer)
{
    echo "\nCONSULTA CON BUFFER:\n";
    echo "El var_dump se muestra  así:\n\n";
    var_dump($resSinBuffer);
    echo "Total filas usando num_rows antes de leer: ".$resSinBuffer->num_rows."\n";

    while($row = $resSinBuffer->fetch_assoc())
    {
        $arrSinBuffer[] = $row;
    }
    echo "Total filas usando num_rows después de leer: ".$resSinBuffer->num_rows."\n";
    echo "Total filas contando los datos mismos: ".count($arrSinBuffer)."\n";

    /* liberar el conjunto de resultados */
    $resSinBuffer->free();

}
echo "</pre>";

/* cerrar la conexión */
$db->close();    
?>

Result:

SI SÓLO QUEREMOS EL TOTAL DE FILAS:

El var_dump se muestra  así:

object(mysqli_result)#2 (5) {
  ["current_field"]=>
  int(0)
  ["field_count"]=>
  int(1)
  ["lengths"]=>
  NULL
  ["num_rows"]=>
  int(1)
  ["type"]=>
  int(0)
}

Total filas usando COUNT(*): 51

CONSULTA SIN BUFFER:

El var_dump se muestra  así:

object(mysqli_result)#3 (5) {
  ["current_field"]=>
  int(0)
  ["field_count"]=>
  int(5)
  ["lengths"]=>
  NULL
  ["num_rows"]=>
  int(51)
  ["type"]=>
  int(0)
}

Total filas usando num_rows antes de leer: 51
Total filas usando num_rows después de leer: 51
Total filas contando los datos mismos: 51

CONSULTA CON BUFFER:
El var_dump se muestra  así:

object(mysqli_result)#4 (5) {
  ["current_field"]=>
  int(0)
  ["field_count"]=>
  int(5)
  ["lengths"]=>
  NULL
  ["num_rows"]=>
  int(0)
  ["type"]=>
  int(1)
}
Total filas usando num_rows antes de leer: 0
Total filas usando num_rows después de leer: 51
Total filas contando los datos mismos: 51

Black Sheep · Answer 3 · 2020-09-27T03:38:23+08:00

Let's take a closer look at buffered and unbuffered queries :

Queries use buffering mode by default. This means that the query results are immediately transferred from the MySQL Server to PHP where they are then kept in the memory of the PHP process. This allows for additional operations such as counting the number of rows and moving (fetching) the current pointer to the result. It also allows you to issue more queries on the same connection while working with the result set. The downside of buffering mode is that large result sets require significantly more memory. Memory will be kept occupied until all references to the result set are unset or the result set is explicitly freed, which will automatically occur during the completion of the last request. The terminology "result stored" is also used for buffering mode, since the entire result set is stored at once. (...)

...buffered queries should be used in cases where only a limited result set is expected or the number of rows returned needs to be known before reading all the rows. Non-buffering mode should be used when large results are expected.

This implies or explains the doubt if the result is exact or not :

The behavior of mysqli_num_rows()depends on whether buffered or unbuffered resultsets are used. In case of using them without buffer, it will mysqli_num_rows()not return the correct number of rows until all the rows of the result have been retrieved.

So in your case you are on the safe side , that is exact , since you use the stored result by default .

If you choose not to have results stored , it would be of no use to you num_rows!

Now let's see the performance :

An example, if you have a table with many rows (rows)then what you do num_rowsis pass all those rows taken from the query (buffer) once again to the memory of PHP, if you use COUNT()in your query you pass only 1 result to PHP.

Benchmark buffered and unbuffered queries with and without COUNT():

Test environment:

iMac: (27 pulgadas, finales de 2012)
Processador: 3,4 GHz Intel Core i7
Memoria: 16 GB 1600 MHz DDR3
OS: macOS Sierra 10.12.6

PHP version: 7.1.3
MySQL version: 5.7.17
Tabla con más de 30.000.000 registros

Test code (simplified):

test_mysqli_with_buffer :

function test_mysqli_con_buffer( $count = 1000 ) {          

    $time_start = microtime( true );        

    for ( $i = 0; $i < $count; $i++ ) {

        $r = $db->query( "SELECT * FROM dummy_data WHERE id < 1000;" );
        $r->fetch_all();                
    }       

    return number_format( microtime( true ) - $time_start, 3 );
}

test_mysqli_without_buffer :

function test_mysqli_sin_buffer( $count = 1000 ) {          

    $time_start = microtime( true );

    for ( $i = 0; $i < $count; $i++ ) {

        $r = $db->query( "SELECT * FROM dummy_data WHERE id < 1000;", MYSQLI_USE_RESULT );              
        $r->fetch_all();                
    }           

    return number_format( microtime( true ) - $time_start, 3 );
}

test_mysqli_count_with_buffer :

function test_mysqli_count_con_buffer( $count = 1000 ) {            

    $time_start = microtime( true );

    for ( $i = 0; $i < $count; $i++ ) {

        $r = $db->query( "SELECT count(*) AS total FROM dummy_data WHERE id < 1000;" );
        $r->fetch_all();            
    }

    return number_format( microtime( true ) - $time_start, 3 );
}

test_mysqli_count_without_buffer :

function test_mysqli_count_sin_buffer( $count = 1000 ) {            

    $time_start = microtime( true );

    for ( $i = 0; $i < $count; $i++ ) {

        $r = $db->query( "SELECT count(*) AS total FROM dummy_data WHERE id < 1000;", MYSQLI_USE_RESULT );
        $r->fetch_all();
    }

    return number_format( microtime( true ) - $time_start, 3 );
}

And the winner is....

--------------------------------------
|        PHP BENCHMARK SCRIPT        |
--------------------------------------
Start : 2017-09-27 11:12:48
Server : [email protected]
PHP version : 7.1.3
Platform : Darwin
--------------------------------------
test_mysqli_con_buffer       : 2.859 sec.
test_mysqli_sin_buffer       : 3.136 sec.
test_mysqli_count_con_buffer : 0.419 sec.
test_mysqli_count_sin_buffer : 0.414 sec.
--------------------------------------
Total time:                  : 6.828 sec.

Sources:

How to display result rows safely using object oriented mysqli?

An alternative example:

Second example:

Why `num_rows`is it not safe, that is, why is it not accurate?

What alternatives are there for `num_rows`?

Alternative 1

Alternative 2

test code

HTML button that sends you to another page

Why do I get the error "Call to undefined function mysql_connect()"?

How to create an HTML button that works as a link?

How to separate a String in Java. How to use split()

Filter by dates in sql server

How to limit the number of decimal places in a double?

For each in JavaScript?

Position footer ALWAYS glued to the footer

Definitive Guide to Type Conversion in Java

How to properly compare Strings (and objects) in Java?

How to display result rows safely using object oriented mysqli?

3 Answers

An alternative example:

Second example:

Why num_rowsis it not safe, that is, why is it not accurate?

What alternatives are there for num_rows?

Alternative 1

Alternative 2

test code

Why `num_rows`is it not safe, that is, why is it not accurate?

What alternatives are there for `num_rows`?