andy_b_1502 Posted April 1, 2012 Share Posted April 1, 2012 Hi everyone! I have the following error message: Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /hermes/bosweb25a/b109/ipg.removalspacecom/checklogin.php on line 47 Wrong Username or Password by using the below code: <?PHP include ('db.php'); // Define $username and $password $username=$_POST['username']; $password=$_POST['password']; // To protect MySQL injection (more detail about MySQL injection) $username = stripslashes($username); $password = stripslashes($password); $username = mysql_real_escape_string($username); $password = mysql_real_escape_string($password); $sql="SELECT * FROM $companies WHERE username='$username' and password='$password'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $username and $password, table row must be 1 row if($count==1){ // Register $username, $password and redirect to file "login_success.php" session_register("username"); session_register("password"); header("location:login_success.php"); } else { echo "Wrong Username or Password"; } ob_end_flush(); ?> Does anyone have an idea of whats happening? from a guess it's looking for the username and password in the database, but i've made sure that this username and password in IN the correct fields in the table ect?? Thanks Quote Link to comment Share on other sites More sharing options...
Muddy_Funster Posted April 1, 2012 Share Posted April 1, 2012 your query is failing, probably because $companies doesn't resolve to a proper table name. I'd tell you not to use SELECT * on a user table during login, but it seems some people get all pissy when I do that. Quote Link to comment Share on other sites More sharing options...
andy_b_1502 Posted April 1, 2012 Author Share Posted April 1, 2012 Thanks muddy. I have changed/tested new script with this: $sql="SELECT username, password FROM $companies WHERE username='$username' and password='$password'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); and now have this error message: Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /hermes/bosweb25a/b109/ipg.removalspacecom/checklogin.php on line 47 Wrong Username or Password This could be why people get all pissy about it because they are frustrated when it doesnt work :'( lol. The username and password is in the database, its looking in the right place but it's not seeing it? any idea's how to make this work for me? Quote Link to comment Share on other sites More sharing options...
cpd Posted April 1, 2012 Share Posted April 1, 2012 Your query still includes $companies. Is this meant to be a table or a variable? Quote Link to comment Share on other sites More sharing options...
andy_b_1502 Posted April 1, 2012 Author Share Posted April 1, 2012 companies is the table name Quote Link to comment Share on other sites More sharing options...
litebearer Posted April 1, 2012 Share Posted April 1, 2012 1. as stated above remove the $ from companies, and; 2. did you by chance use any hashing etc when you originally inserted the data into the table? Quote Link to comment Share on other sites More sharing options...
cpd Posted April 1, 2012 Share Posted April 1, 2012 Well your currently trying to evaluate it as a variable. Quote Link to comment Share on other sites More sharing options...
andy_b_1502 Posted April 1, 2012 Author Share Posted April 1, 2012 i dont remember LB if im honest... i have taken the $ from the proceding 'companies' BUT it does not log me in, instead just gives me the error message: "Wrong Username or Password" when using the correct criteria? Quote Link to comment Share on other sites More sharing options...
litebearer Posted April 1, 2012 Share Posted April 1, 2012 show us the code that you used for inserting the data Quote Link to comment Share on other sites More sharing options...
andy_b_1502 Posted April 1, 2012 Author Share Posted April 1, 2012 Inserted the username and password with this code: <?PHP include('db.php'); /* set some validation variables */ $error_message = ""; /* =============================================== */ /* this section of code will set up an error message for the username if ANY of the conditions occur 1) checks to see if $_POST['username'] is NOT set 2) if length of username is less than 5 3) if username has anything other than letter, numbers or underscores */ if((!isset($_POST['username'])) || (strlen(trim($_POST['username'])) <5) || (trim($_POST['username']) != preg_replace("/[^a-zA-Z0-9\_]/", "", trim($_POST['username'])))) { /* if username is bad start building the error message */ $error_message = "You must enter a valid username<br>"; $error_message = $error_message . "Valid names are min 5 characters and use letters, numbers and underscores only.<br>"; $error_message = $error_message . 'Your invalid name was: <font color="red">' . $_POST['username'] . "</font><hr>"; } /* END validating username */ /* =============================================== */ /* =============================================== */ /* this section of code will set up an error message for the password if ANY of the conditions occur 1) checks to see if $_POST['upassword'] is NOT set 2) if length of upassword is less than 5 3) if upassword has anything other than letter, numbers or underscores */ if((!isset($_POST['password'])) || (strlen(trim($_POST['password'])) <5) || (trim($_POST['password']) != preg_replace("/[^a-zA-Z0-9\_]/", "", trim($_POST['password'])))) { /* if it is NOT set, then set the error variable and start building the error message */ $error_message = $error_message . "You must enter a valid password<br>"; $error_message = $error_message . "Valid passwords are min 5 characters and use letters, numbers and underscores only.<br>"; $error_message = $error_message . 'Your invalid password was: <font color="red">' . $_POST['upassword'] . "</font><hr>"; }else{ $upassword = trim($_POST['password']); } /* END validating upassword */ /* =============================================== */ /* =============================================== */ /* validating the email */ /* create a function */ function validateEmailAddress($email) { return filter_var($email, FILTER_VALIDATE_EMAIL) && preg_match('/@.+\./', $email); } if(!isset($_POST['email']) || validateEmailAddress($_POST['email']) !=1) { $error_message = $error_message . "You must enter a valid email address<br>"; $error_message = $error_message . 'The invalid email was: <font color="red">' . $_POST['email'] . "</font><hr>"; } /* END validating email */ /* =============================================== */ /* =============================================== */ /* check to see if username is already taken */ $username = mysql_real_escape_string(trim($_POST['username'])); $query1 = "SELECT username from companies WHERE username = '$username'"; $result1 = mysql_query($query1) or die(mysql_error()); $count = mysql_num_rows($result); if($count>0) { $error_message = $error_message . 'The username: <font color="red">' . $_POST['username'] . "</font> is taken.<hr>"; } /* =============================================== */ /* if any of the post variables are invalid */ /* set the session variable and send back to the form page */ if(strlen(trim($error_message))>0) { $_SESSION['error_message'] =$error_message; header("Location: register.php"); exit(); } /* =============================================== */ /* =============================================== */ /* PREPARE DATA FOR INSERTION INTO TABLE */ /* FUNCTION TO CREATE SALT */ function createSalt() { $string = md5(uniqid(rand(), true)); return substr($string, 0, 3); } $salt = createsalt(); $upasswod = trim($_POST['password']); $hash = hash('sha256', $salt, $password); $approved = 0; $username = mysql_real_escape_string(trim($_POST['username'])); $email = mysql_real_escape_string(trim($_POST['email'])); $query2 = "INSERT INTO companies (username, password, email, salt, approved) VALUES('$username', '$hash', '$email', '$salt', '$approved')"; $result2 = mysql_query($query2) or die(mysql_error()); /* =============================================== */ /* at this point we can send an email to the admin as well as the user. DO NOT send the user's password to ANYONE!!!! */ ?> Thank you for registering.<br>; Your account will be approved and activated within 24 hours.<br><br> Click here to return to the <a href="index.php">main page</a>. Quote Link to comment Share on other sites More sharing options...
andy_b_1502 Posted April 1, 2012 Author Share Posted April 1, 2012 did you by chance use any hashing etc when you originally inserted the data into the table? Yes, so this is giving me the Warning: mysql_num_rows(): error message?? Quote Link to comment Share on other sites More sharing options...
litebearer Posted April 1, 2012 Share Posted April 1, 2012 Since you have hashed the password using a salt when inserting, you also NEED to use the same hash/salt technique when checking the password on login. ie. 1. get the salt from the table for the appropriate user 2. hash/salt the login password just like you did for the insert BUT use the salt recovered in step 1 above. 3. NOW query the table to make sure the newly hashed/salted password matches the password in the table clear as mud? (look at the password in the table using phpadmin. you will see what the hash/salted passwords look like. That is 'abcd' as a password will NOT be 'abcd; in the table) Quote Link to comment Share on other sites More sharing options...
andy_b_1502 Posted April 1, 2012 Author Share Posted April 1, 2012 /* =============================================== */ /* check to see if username is already taken */ $username = mysql_real_escape_string(trim($_POST['username'])); $query1 = "SELECT username from companies WHERE username = '$username'"; $result1 = mysql_query($query1) or die(mysql_error()); $count = mysql_num_rows($result); if($count>0) { $error_message = $error_message . 'The username: <font color="red">' . $_POST['username'] . "</font> is taken.<hr>"; } Check USERNAME? not password? this is where the error is, just checking... Quote Link to comment Share on other sites More sharing options...
andy_b_1502 Posted April 1, 2012 Author Share Posted April 1, 2012 <?php /* =============================================== */ /* check to see if username is already taken */ $username = mysql_real_escape_string(trim($_POST['username'])); $query1 = "SELECT username, salt from companies WHERE username = '$username', salt = '$salt'"; $result1 = mysql_query($query1) or die(mysql_error()); $count = mysql_num_rows($result); if($count>0) { $error_message = $error_message . 'The username: <font color="red">' . $_POST['username'] . "</font> is taken.<hr>"; } ?> Quote Link to comment Share on other sites More sharing options...
litebearer Posted April 1, 2012 Share Posted April 1, 2012 Print this out on a piece of paper and look it over carefully. <?PHP include ('db.php'); /* set some validation variables */ $error_message = ""; /* =============================================== */ /* this section of code will set up an error message for the username if ANY of the conditions occur 1) checks to see if $_POST['username'] is NOT set 2) if length of username is less than 5 3) if username has anything other than letter, numbers or underscores */ if((!isset($_POST['username'])) || (strlen(trim($_POST['username'])) <5) || (trim($_POST['username']) != preg_replace("/[^a-zA-Z0-9\_]/", "", trim($_POST['username'])))) { /* if username is bad start building the error message */ $error_message = "You must enter a valid username<br>"; $error_message = $error_message . "Valid names are min 5 characters and use letters, numbers and underscores only.<br>"; $error_message = $error_message . 'Your invalid name was: <font color="red">' . $_POST['username'] . "</font><hr>"; }else{ $username = mysql_real_escape_string(trim($_POST['username'])); } /* END validating username */ /* =============================================== */ /* =============================================== */ /* this section of code will set up an error message for the password if ANY of the conditions occur 1) checks to see if $_POST['password'] is NOT set 2) if length of password is less than 5 3) if password has anything other than letter, numbers or underscores */ if((!isset($_POST['password'])) || (strlen(trim($_POST['password'])) <5) || (trim($_POST['password']) != preg_replace("/[^a-zA-Z0-9\_]/", "", trim($_POST['password'])))) { /* if it is NOT set, then set the error variable and start building the error message */ $error_message = $error_message . "You must enter a valid password<br>"; $error_message = $error_message . "Valid passwords are min 5 characters and use letters, numbers and underscores only.<br>"; $error_message = $error_message . 'Your invalid password was: <font color="red">' . $_POST['password'] . "</font><hr>"; }else{ $password = trim($_POST['password']); } /* END validating password */ /* =============================================== */ /* =============================================== */ /* if any of the post variables are invalid */ /* set the session variable and send back to the form page */ if(strlen(trim($error_message))>0) { $_SESSION['error_message'] =$error_message; header("Location: login.php"); exit(); } /* =============================================== */ /* =============================================== */ /* FUNCTION TO CREATE SALT */ function createSalt() { $string = md5(uniqid(rand(), true)); return substr($string, 0, 3); } /* check to see if username is in the table if not send back to login */ $query01 = "SELECT id, salt FROM companies WHERE username = '$username'"; $result01 = mysql_query($query01) or die(mysql_error()); if(mysql_num_rows($result1 != 1)) { header("Location: login.php"); exit(); } $row = mysq_fetch_array($result01); $salt = $row['salt']; $password = trim($_POST['password']); $hash = hash('sha256', $salt, $password); $query02 = "SELECT id FROM companies WHERE username = '$username' AND password = '$hash'"; $result02 = mysql_query($query02) or die(mysql_error()); if(mysql_num_rows($result2) !=1){ /* not found send back to login */ header("Location: login.php"); exit(); } /* =============================================== */ /* success!!! send them where you want */ ?> Quote Link to comment Share on other sites More sharing options...
andy_b_1502 Posted April 1, 2012 Author Share Posted April 1, 2012 Okay: i have gone away and done a little bit of resaerch. I understand that using salt to check login is a lot more secure as the user's username doesnt change and salt it random. I have changed the query to: $query1 = "SELECT username, salt from companies WHERE salt = '$salt', username = '$username'"; could someone please explain why im getting this error?: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' username = 'testing'' at line 1 'testing' is what i have used as a test username?? Quote Link to comment Share on other sites More sharing options...
litebearer Posted April 1, 2012 Share Posted April 1, 2012 do not hash/salt the username, just the password Quote Link to comment Share on other sites More sharing options...
andy_b_1502 Posted April 1, 2012 Author Share Posted April 1, 2012 so it's: $query1 = "SELECT salt from companies WHERE salt = '$salt'"; thats just hash/salt password right? that produces the following: "Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /hermes/bosweb25a/b109/ipg.removalspacecom/andy_test_01.php on line 63 Warning: Cannot modify header information - headers already sent by (output started at /hermes/bosweb25a/b109/ipg.removalspacecom/andy_test_01.php:63) in /hermes/bosweb25a/b109/ipg.removalspacecom/andy_test_01.php on line 73" Quote Link to comment Share on other sites More sharing options...
litebearer Posted April 1, 2012 Share Posted April 1, 2012 Did you read the last coding I posted? $query01 = "SELECT id, salt FROM companies WHERE username = '$username'"; Quote Link to comment Share on other sites More sharing options...
andy_b_1502 Posted April 1, 2012 Author Share Posted April 1, 2012 Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /hermes/bosweb25a/b109/ipg.removalspacecom/a_test2.php on line 76 Fatal error: Call to undefined function mysq_fetch_array() in /hermes/bosweb25a/b109/ipg.removalspacecom/a_test2.php on line 82" :-\ Quote Link to comment Share on other sites More sharing options...
litebearer Posted April 1, 2012 Share Posted April 1, 2012 show your most recent coding Quote Link to comment Share on other sites More sharing options...
andy_b_1502 Posted April 1, 2012 Author Share Posted April 1, 2012 For LOGIN: a_test2.php: <?PHP include ('db.php'); /* set some validation variables */ $error_message = ""; /* =============================================== */ /*this section of code will set up an error message for the username if ANY of the conditions occur 1) checks to see if $_POST['username'] is NOT set 2) if length of username is less than 5 3) if username has anything other than letter, numbers or underscores*/ if((!isset($_POST['username'])) || (strlen(trim($_POST['username'])) <5) || (trim($_POST['username']) != preg_replace("/[^a-zA-Z0-9\_]/", "", trim($_POST['username'])))) { /* if username is bad start building the error message */ $error_message = "You must enter a valid username<br>"; $error_message = $error_message . "Valid names are min 5 characters and use letters, numbers and underscores only.<br>"; $error_message = $error_message . 'Your invalid name was: <font color="red">' . $_POST['username'] . "</font><hr>";} else{ $username = mysql_real_escape_string(trim($_POST['username']));} /* END validating username *//* =============================================== */ /* =============================================== */ /*this section of code will set up an error message for thepassword if ANY of the conditions occur 1) checks to see if $_POST['password'] is NOT set 2) if length of password is less than 5 3) if password has anything other than letter, numbers or underscores*/ if((!isset($_POST['password'])) || (strlen(trim($_POST['password'])) <5) || (trim($_POST['password']) != preg_replace("/[^a-zA-Z0-9\_]/", "", trim($_POST['password'])))) { /* if it is NOT set, then set the error variable and start building the error message */ $error_message = $error_message . "You must enter a valid password<br>"; $error_message = $error_message . "Valid passwords are min 5 characters and use letters, numbers and underscores only.<br>"; $error_message = $error_message . 'Your invalid password was: <font color="red">' . $_POST['password'] . "</font><hr>";} else{ $password = trim($_POST['password']);} /* END validating password *//* =============================================== */ /* =============================================== */ /* if any of the post variables are invalid */ /* set the session variable and send back to the form page */ if(strlen(trim($error_message))>0) { $_SESSION['error_message'] =$error_message; header("Location: login.php"); exit();} /* =============================================== */ /* =============================================== */ /* FUNCTION TO CREATE SALT */ function createSalt() { $string = md5(uniqid(rand(), true)); return substr($string, 0, 3);} /* check to see if username is in the table if not send back to login*/ $query01 = "SELECT id, salt FROM companies WHERE username = '$username'"; $result01 = mysql_query($query01) or die(mysql_error()); if(mysql_num_rows($result1 != 1)) { header("Location: login.php"); exit(); } $row = mysq_fetch_array($result01); $salt = $row['salt']; $password = trim($_POST['password']); $hash = hash('sha256', $salt, $password); $query02 = "SELECT id FROM companies WHERE username = '$username' AND password = '$hash'"; $result02 = mysql_query($query02) or die(mysql_error()); if(mysql_num_rows($result2) !=1) { /* not found send back to login */ header("Location: login.php"); exit();} /* =============================================== *//* success!!! send them where you want */ ?> for this table: table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC"> <tr> <form name="form1" method="post" action="a_test2.php"> <td> <table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF"> <tr> <td colspan="3"><strong>Member Login </strong></td> </tr> <tr> <td width="78">Username</td> <td width="6">:</td> <td width="294"><input name="username" type="text" id="username"></td> </tr> <tr> <td>Password</td> <td>:</td> <td><input name="password" type="password" id="password"></td> </tr> <tr> <td> </td> <td> </td> <td><input type="submit" name="Submit" value="Login"></td> </tr> </table> </td> </form> </tr> </table> For REGISTER: andy_test_01.php: <?PHP include('db.php'); /* set some validation variables */ $error_message = ""; /* =============================================== */ /* this section of code will set up an error message for the username if ANY of the conditions occur 1) checks to see if $_POST['username'] is NOT set 2) if length of username is less than 5 3) if username has anything other than letter, numbers or underscores */ if((!isset($_POST['username'])) || (strlen(trim($_POST['username'])) <5) || (trim($_POST['username']) != preg_replace("/[^a-zA-Z0-9\_]/", "", trim($_POST['username'])))) { /* if username is bad start building the error message */ $error_message = "You must enter a valid username<br>"; $error_message = $error_message . "Valid names are min 5 characters and use letters, numbers and underscores only.<br>"; $error_message = $error_message . 'Your invalid name was: <font color="red">' . $_POST['username'] . "</font><hr>"; } /* END validating username */ /* =============================================== */ /* =============================================== */ /* this section of code will set up an error message for the password if ANY of the conditions occur 1) checks to see if $_POST['upassword'] is NOT set 2) if length of upassword is less than 5 3) if upassword has anything other than letter, numbers or underscores */ if((!isset($_POST['password'])) || (strlen(trim($_POST['password'])) <5) || (trim($_POST['password']) != preg_replace("/[^a-zA-Z0-9\_]/", "", trim($_POST['password'])))) { /* if it is NOT set, then set the error variable and start building the error message */ $error_message = $error_message . "You must enter a valid password<br>"; $error_message = $error_message . "Valid passwords are min 5 characters and use letters, numbers and underscores only.<br>"; $error_message = $error_message . 'Your invalid password was: <font color="red">' . $_POST['password'] . "</font><hr>"; }else{ $password = trim($_POST['password']); } /* END validating password */ /* =============================================== */ /* =============================================== */ /* validating the email */ /* create a function */ function validateEmailAddress($email) { return filter_var($email, FILTER_VALIDATE_EMAIL) && preg_match('/@.+\./', $email); } if(!isset($_POST['email']) || validateEmailAddress($_POST['email']) !=1) { $error_message = $error_message . "You must enter a valid email address<br>"; $error_message = $error_message . 'The invalid email was: <font color="red">' . $_POST['email'] . "</font><hr>"; } /* END validating email */ /* =============================================== */ /* =============================================== */ /* check to see if username is already taken */ $username = mysql_real_escape_string(trim($_POST['username'])); $query1 = "SELECT username from companies WHERE username = '$username'"; $result1 = mysql_query($query1) or die(mysql_error()); $count = mysql_num_rows($result); if($count>0) { $error_message = $error_message . 'The username: <font color="red">' . $_POST['username'] . "</font> is taken.<hr>"; } /* =============================================== */ /* if any of the post variables are invalid */ /* set the session variable and send back to the form page */ if(strlen(trim($error_message))>0) { $_SESSION['error_message'] =$error_message; header("Location: register.php"); exit(); } /* =============================================== */ /* =============================================== */ /* PREPARE DATA FOR INSERTION INTO TABLE */ /* FUNCTION TO CREATE SALT */ function createSalt() { $string = md5(uniqid(rand(), true)); return substr($string, 0, 3); } $salt = createsalt(); $passwod = trim($_POST['password']); $hash = hash('sha256', $salt, $password); $approved = 0; $username = mysql_real_escape_string(trim($_POST['username'])); $email = mysql_real_escape_string(trim($_POST['email'])); $query2 = "INSERT INTO companies (username, password, email, salt, approved) VALUES('$username', '$hash', '$email', '$salt', '$approved')"; $result2 = mysql_query($query2) or die(mysql_error()); /* =============================================== */ /* at this point we can send an email to the admin as well as the user. DO NOT send the user's password to ANYONE!!!! */ ?> Thank you for registering.<br>; Your account will be approved and activated within 24 hours.<br><br> Click here to return to the <a href="index.php">main page</a>. for this table: <form name="form1" method="post" action="andy_test_01.php"> <table width="316" height="120" border="0"> <tr><td colspan=2><h1>Register/Sign Up</h1></td></tr> <tr><td>Username:</td><td> <input name="username" type="text" id="username"> </td></tr> <tr><td>Password:</td><td> <input name="password" type="password" class="style7" id="password"> </td></tr> <tr><td colspan="2" align="right"> <tr><td>Email:</td><td> <input name="email" type="text" class="style7" id="email"> </td></tr> <tr><td colspan="2" align="right"> <input name="Submit" type="submit" class="style7" value="Register" /> </td></tr> </table> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.