Boolean Error

[craigerjs]

Hi, I have an image uploader here and I am trying to have a user enter their password and check a box in order to submit their image.  I am having trouble validating the password.  I get this error message:

 

"Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, boolean given in /home/content/68/6372768/html/submit.php on line 58"

 

From this section of the code:

 

      $query = "SELECT * FROM user_info WHERE password = SHA($user_password)";

      $data = mysqli_query($dbc, $query);

      if (mysqli_num_rows($data) == 1) {

      $valid_password = true;

      }

 

Anyone see what I am doing wrong?  The password stored in my DB is encrypted with SHA. 

 

 

<?php
  // Start the session
  require_once('startsession.php');
  // Insert the page header
  $page_title = 'Submit an Image';
  require_once('header.php');
  require_once('appvars.php');
  require_once('connectvars.php');
  // Show the navigation menu
  require_once('navmenu.php');

  // Make sure the user is logged in before going any further.
  if (!isset($_SESSION['user_id'])) {
    echo '<center><table border="0" cellspacing = "20"><tr><td>';
    echo '<p class="login">Please <a href="login.php">log in</a> to access this page.</p>';
    echo '</td></tr></table></center>';
    // Insert the page footer
    echo '<div class="footer">';
    require_once('footer.php');
    echo '</div>';
    exit();
  }
?>

<div class="linkrow">
<!-- end .linkrow --></div>

<div class="contentBlue960">
<img src = "/IMAGES/WEBSITE/capBlue960.jpg">


<?php
  if (isset($_POST['submit'])) {
// Connect to the DB
    $dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
    // Set password to false
    $valid_password = false;  
    // Grab the id data from the POST
    $image_name = $_FILES['image_name']['name'];
    $image_name_type = $_FILES['image_name']['type'];
    $image_name_size = $_FILES['image_name']['size']; 
    $user_password = (mysqli_real_escape_string($dbc, trim($_POST['user_password'])));
    $agree = mysqli_real_escape_string($dbc, trim($_POST['agree']));
    // Grab the id data from the DB
    
    if (!isset($_GET['user_id'])) {
    $query = "SELECT user_name, password FROM user_info WHERE user_id = '" . $_SESSION['user_id'] . "'";
    }
  else {
    $query = "SELECT user_name, password FROM user_info WHERE user_id = '" . $_GET['user_id'] . "'";
    }
  $data = mysqli_query($dbc, $query);
    $user_name = $row['user_name'];
    $password = $row['password'];
    
      $query = "SELECT * FROM user_info WHERE password = SHA($user_password)";
      $data = mysqli_query($dbc, $query);
      if (mysqli_num_rows($data) == 1) {
      $valid_password = true;
      }


// If image and password are entered
    if (!empty($user_password) && !empty($image_name)) {
// If the entered password matches the user's password
      if ($valid_password == true) {
// If the copyright is agreed to
      if (($agree) == ('checked')) {
// If the pic is valid
      if ((($image_name_type == 'image/gif') || ($image_name_type == 'image/jpeg') || ($image_name_type == 'image/pjpeg') || ($image_name_type == 'image/png'))
        && ($image_name_size > 0) && ($image_name_size <= GW_MAXFILESIZE)) {
        if ($_FILES['image_name']['error'] == 0) {
          // Move the file to the target upload folder
          $target = GW_UPLOADPATH . $image_name;
          if (move_uploaded_file($_FILES['image_name']['tmp_name'], $target)) {
            // Connect to the database
     $dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME)
      or die('Error connecting to MySQL server.');

            // Write the data to the database
            $query = "INSERT INTO user_images VALUES (0, '$user_name', NOW(), '$image_name')";
            mysqli_query($dbc, $query);

            // Confirm success with the user
            echo '<p>Thanks for submitting an image!  Under review as soon as possible.</p>';
            echo '<p><strong>User Name:</strong> ' . $user_name . '<br />';
            echo '<img src="' . GW_UPLOADPATH . $image_name . '" alt="Submitted Image" /></p>';
            echo '<p><a href="submit.php"><< Back to submit page.</a></p>';

            // Clear the id data to clear the form
            $user_name = "";
            $image_name = "";

            mysqli_close($dbc);
          }
          else {
            echo '<p class="error">Sorry, there was a problem uploading your screen shot image.</p>';
          }
        }
      }
      else {
        echo '<p class="error">The screen shot must be a GIF, JPEG, or PNG image file no greater than ' . (GW_MAXFILESIZE / 1024) . ' KB in size.</p>';
      }

      // Try to delete the temporary screen shot image file
      @unlink($_FILES['image_name']['tmp_name']);
    }
    else {
      echo '<p class="error">Must agree with and check copyright box.</p>';        
    }

} else {
      echo '<p class="error">Password Incorrect</p>';    
    }
} else {
   //   echo 'Pass' . $password . ' 1';
    //  echo 'User pass' . $user_password . ' 2';
   //   echo 'Checkbox' . $agree . ' 3';
  //    echo 'Username' . $user_name . ' 3';
      echo '<p class="error">Please enter all of the information to add your image.</p>';
    }
  }
//  mysqli_close($dbc);
?>

<table border="1" cellspacing = "20">
<tr><td width = 960px><h2>Submit an Image</h2></td></tr>
</table>


<table border="1" cellspacing = "20">
  <form enctype="multipart/form-data" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">

<tr><td width = "300">    
<input type="hidden" name="MAX_FILE_SIZE" value="<?php echo GW_MAXFILESIZE; ?>" />
<label for="image_name">Image:</label></td>
<td><input type="file" id="image_name" name="image_name" />
</td></tr>    
    
<tr><td width = "300">
<label for="user_password">Enter Password:</label></td>
<td><input type="text" id="user_password" name="user_password" /><br />
</td></tr>

<tr><td width = "300">      
<label for="terms">This image is my own work and I own all copyrights to it.</label></td>
<td><input type="checkbox" id="agree" name="agree" value = "checked"/><br />
</td></tr>
    
<tr><td width = "300">        
<input type="submit" value="Submit Image" name="submit" />
</td></tr>   
        
  </form>
</td>
</tr>
</table>


<img src = "/IMAGES/WEBSITE/bottomBlue960.jpg">
<!-- end .contentWhite960 --></div>

<div class="footer">
<?php
  // Insert the page footer
  require_once('footer.php');
?>
<!-- end .footer --></div>

 

 

Thanks if you can help,

Craig

[Alex]

mysqli_query is returning false because your query is failing. You need quotes around $user_password.

 

$query = "SELECT * FROM user_info WHERE password = SHA('$user_password')";

[craigerjs]

Thanks, that worked.  I just realized that if two people have the same password this idea won't work anyway.  Gotta think of a better way to do this now.