Login form mysql_num_rows() error

[MattD00]

I have tried to create a basic login form.

When I enter the username and password I get this error

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in login.php on line 10

 

<?php
require("connection.php");
if($_SERVER["REQUEST_METHOD"] == "POST")
{
$username=mysql_real_escape_string($_POST['username']);
$password=mysql_real_escape_string($_POST['password']);
$password=md5($password);
$sql="SELECT id FROM user WHERE username='$username' and password='$password'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);


if($count==1)
{
header("location: dashboard.php");
}
else
{
$error="Invalid username or password";
}
}
?>
<form action="login.php" method="POST">
<table class="ltext">
<tr>
<td>
Username
</td>
<td>
<input type="text" name="usename" class="input" />
</td>
</tr>
<tr>
<td>
Password
</td>
<td>
<input type="password" name="password" class="input" />
</td>
</tr>
</tr>
<td>
</td>
<td>
</td>
</tr>
<tr>
<td>
</td>
<td>
<input type="submit" value="Login" name="submit" class="input" />
<input type="reset" value="Clear" name="clear" class="input" />
</td>
</tr>
</table>
</form>

 

I can't figure out why I am getting that error message does anyone have any ideas?

[xyph]

You're getting that because mysql_query() is returning FALSE and not a MySQL resource.

 

You need to check for this, and if it happens, echo mysql_error() (for debugging)

 

In a production environment, you probably just want to echo 'Query Error', because mysql_error() may reveal information about your database that could be exploited.

[voip03]

try this

sql="SELECT id FROM user WHERE username='".$username."' and password='".$password."'";
$result=mysql_query($sql);
if(!$result){ die(" Could not query the database : <br/>". mysql_error() ); }

Thank you xyph.

 

[MattD00]

I was able to fix the mysql_num_rows() there was an error with my database.

However nothing happens when I login and no error message is shown when the wrong username or password is entered.

I decided to echo out the $count but it just shows up as being 0 when trying to login.

[voip03]

Check the DB  username and password manually

[xyph]

You're not echo'ing $error anywhere

[MattD00]

OK so I have now echoed out the error so that bit is working. However the login is still not working

[xyph]

Echo your query. Does it match the data in the database?

 

These are extremely simple debugging methods. Check and make sure your input is what you expect it to be

[MattD00]

From echoing out the query it'sshowing the username and password for phpMyAdmin, instead of the username and password stored in the the table "users".

 

 

 

[MattD00]

From echoing out the query it's showing the username and password for phpMyAdmin, instead of the username and password stored in the the table "users".

I fixed that problem my connect file was using the same variables but now I get

SELECT id FROM users WHERE username=''

The password shows up fine but the username is blank.

Even though the field is called username and username is being used in the query.

 

[xyph]

Use print_r( $_POST ) to make sure your post variable actually contains a key called 'username'

 

You should be programming with error_reporting(-1) to see notices about non-existent keys or variables.

 

Again, this is EXTREMELY basic debugging procedure. If the result isn't what you expect, verify the input is what you expect it to be.

 

I'd argue over 90% of the issues posted here can be fixed by using the above method.

[voip03]

Have you correct the typing error? usename  to username

 

input name -> usename

<td><input type="text" name="usename" class="input" /></td>

in PHP  -> $_POST['username']

$username=mysql_real_escape_string($_POST['username']);