I get this error Warning: mysqli_error() expects parameter 1 to be mysqli, boolean given in

[h1234]

its a login form here is my code thats producing the error . I am really new to php. this is for a project . thanks for the help. 

 

 

function login($username , $password){

 

GLOBAL $dbc; //database

 

$user_id= user_id_from_username($username);

 

  $username = sanatize($username);

  $password = md5($password);

 

 

 $query= mysqli_query($dbc,"SELECT COUNT(`user_id`) FROM `users`  WHERE `username` = '$username' AND  `password ` = '$password'");

 

 

MYSQLI_ERROR($query);

 

 $check= mysqli_fetch_array( $query , MYSQLI_BOTH); // even if i add this set of code the query still gives the above error.

 

 

 

}

 

 

 

 

 

[mac_gyver]

the mysqli_error( ... ) statement requires the mysqli connection link as a parameter.

 

and how do i know that, by reading the documentation and examples for that particular statement in the php.net documentation.

 

you also need to echo the string that mysqli_error returns so that you can see it in the browser.

[h1234]

the mysqli_error( ... ) statement requires the mysqli connection link as a parameter.

 

and how do i know that, by reading the documentation and examples for that particular statement in the php.net documentation.

 

you also need to echo the string that mysqli_error returns so that you can see it in the browser.

hi thanks i did that  and it says Unknown column 'password ' in 'where clause'Array ( )  

[mac_gyver]

what do you suppose that error means?

[h1234]

what do you suppose that error means?

 

i fixed it but now my code wont doesnt care if the password is incorrect or not. I think it has something to do with the $check variable but i cant figure it out :/ it has to check and see if both username and password it correct(username works ) in oder to proceed.my login page contains all the if statements for this . When i check the mysqli_error($dbc) is only echo's Array ( )

 

 

function login($username , $password){

 

GLOBAL $dbc;

 

$user_id = user_id_from_username($username);

 

  $username = sanatize($username);

  $password = md5($password);

 

 

 $query= mysqli_query($dbc,"SELECT COUNT(`user_id`) FROM `users`  WHERE `username` = '$username' AND  `password` = '$password'");

 

  

 

$check= mysqli_fetch_array( $query , MYSQLI_BOTH);

 

 

return ($check[0]==1)? $user_id : false;

Edited September 30, 2013 by h1234

[Ch0cu3r]

You want to see if the query returned any results using the mysqli_num_rows not mysqli_fetch_array

function login($username , $password) 
{
    GLOBAL $dbc; // <--- BAD PROGRAMMING
 
    $user_id = user_id_from_username($username);
 
    $username = sanatize($username);
    $password = md5($password);
    $query = mysqli_query($dbc, "SELECT COUNT(`user_id`) FROM `users`  WHERE `username` = '$username' AND  `password` = '$password'");
 
    // check query return any results (results are returned as rows)
    // if we have a result then the login credentials matched
    if(mysqli_num_rows($dbc) > 0)
    {
        return true;
    }

    // no results found so return false
    return false;
}

Please use code tags when posting code. Press the <> button before pasting code into the reply box.

Edited September 30, 2013 by Ch0cu3r

[h1234]

You want to see if the query returned any results using the mysqli_num_rows not mysqli_fetch_array

function login($username , $password) 
{
    GLOBAL $dbc; // <--- BAD PROGRAMMING
 
    $user_id = user_id_from_username($username);
 
    $username = sanatize($username);
    $password = md5($password);
    $query = mysqli_query($dbc, "SELECT COUNT(`user_id`) FROM `users`  WHERE `username` = '$username' AND  `password` = '$password'");
 
    // check query return any results (results are returned as rows)
    // if we have a result then the login credentials matched
    if(mysqli_num_rows($dbc) > 0)
    {
        return true;
    }

    // no results found so return false
    return false;
}

Please use code tags when posting code. Press the <> button before pasting code into the reply box.

thanks alot but why is Global $dbc bad programming? . I used the mysqli_num_row  but it seems that it is not validating my password, i can type in any password and it works the only thing  it checks is to see if my  username is correct if it is it proceeds regardless of password

[vinny42]

 

 but why is Global $dbc bad programming?

 

Because the function depends on something that must exist in the environment, which means that the caller cannot tell the function what to use, it must know what the function needs and prepare the environment in such a way that hopefully the function will do what is expected.

 

It is much better to pass the value of $dbc along in the paramters, so that the calling script has 100% control over what data the function uses, without having to know anything about the internals of the function.

[TOA]

It would be mysqli_num_rows($query), not $dbc. The call to num_rows is made to the result set.

 

And by getting a COUNT(), it will always return a result so checking for num_rows won't work. Either change your select, or fetch the results and check for > 0 there.

[h1234]

It would be mysqli_num_rows($query), not $dbc. The call to num_rows is made to the result set.

 

And by getting a COUNT(), it will always return a result so checking for num_rows won't work. Either change your select, or fetch the results and check for > 0 there.

thanks but what must i change the select too? 

[Ch0cu3r]

I'd just have it return the user_id and not COUNT(`user_id`). Then mysqli_num_rows should work as expected.

[vinny42]

 

I'd just have it return the user_id and not COUNT(`user_id`). Then mysqli_num_rows should work as expected.

 

Yes, but if you only wnat to count then this is a very wstefull way to do it.

 

do this:

 

SELECT COUNT(*) AS number_of_rows FROM ....

 

 then fetch one result and look at it's "numer_of_rows" column. That is the most efficient way to count.

[DavidAM]

Yes, but if you only wnat to count then this is a very wstefull way to do it.

When doing a login page (as the OP is), you usually have other pages that are restricted to logged-in users. In many cases, you want to know WHO is logged it (at some point). So the "most efficient" method would be to select the USER_ID and store it in a SESSION variable which can be retrieved by later pages as needed. Since a user's login MUST be unique, there will only be one row returned, so there is only ONE fetch. In this instance, there is no difference in performance between fetching the count column and fetching the user-id column.

 

$sql = "SELECT user_id FROM users WHERE username = '$username' AND password = '$password'";
$query = mysqli_query($dbc, $sql);
if ($query) {
  $row = $query->fetch_assoc();
  if ($row) { // A row was returned
    $_SESSION['user_id'] = $row['user_id'];
  } else {
    // Invalid Username OR Password
  }
} else {
  // ERROR unable to access the database
}

In fact, I might select the user's "Display Name" and "Access Rights" (if applicable) and then just assign the entire row to the SESSION so I don't have to hit the database to check his/her access or name on every page load. But that really depends on the application requirements.

[vinny42]

 

 In this instance, there is no difference in performance between fetching the count column and fetching the user-id column

 

It's true that if you are going to use the user's data anyway then you might as well select it, counting to see if you can later select them would be extra work.

 

But that said, I don't want people to get the idea that it's good practice to select records when they just want to count. Even selecting a single record

can be significantly slower than doing a count because a count() can be done using only the indexes, whereas fetching data from the record itself requires accessing the datafiles.

 

 

Ona different not, you should *never* put the password in the query, in any way. Select it and verify it in the application. Reason: queries are often logged by the database and unles you have complete control over those logs you have no idea who can read them. I've seen hosters who put the logs in the webroot, effectively making them visible to the world.