Database login not working on new host server

[AlohaSD]

I transferred a clients site and DB to a new host and everything was working OK- now it wont allow us to login to admin...

PHP warning:

mysql_numrows(): supplied argument is not a valid MySQL result resource in /home3/profeto0/public_html/ptapayroll/login_process.php on line 13

 

login process code:

- line 13: $affected_rows=mysql_numrows($logSearch);

 

 

whole script:

<?php

session_start();

?>

<html><body>

<? include("connection.php"); ?>

<?

$user_name = $_POST['uname'];

$pass = $_POST['pass'];

 

$query = "SELECT * FROM User WHERE UserUsername = '".$user_name."' AND UserPassword = '".$pass."'";

 

$logSearch=mysql_query($query);

$affected_rows=mysql_numrows($logSearch);

 

//if there's exactly one result, the user is validated. Otherwise, he's invalid

if($affected_rows == 1) {

$_SESSION["logged_in"] = "yes";

$_SESSION["admin"] = mysql_result($logSearch, 0,"UserAdmin");

$_SESSION["manager"] = mysql_result($logSearch, 0,"UserManager");

$_SESSION["reviewer"] = mysql_result($logSearch, 0,"UserReviewer");

$_SESSION["ufullname"] = mysql_result($logSearch, 0,"UserFirstName") . " " . mysql_result($logSearch, 0,"UserLastName");

$_SESSION["u_id"] = mysql_result($logSearch, 0, "UserID");

$_SESSION["ulastname"] = mysql_result($logSearch, 0, "UserLastName");

 

 

if (mysql_result($logSearch, 0, "UserTutor") == 1){

$query2 = "SELECT * FROM User WHERE UserID = '".$_SESSION["u_id"]."'";

$tSearch=mysql_query($query2);

$_SESSION["tutorID"] = mysql_result($tSearch, 0, "UserID");

if (mysql_result($logSearch, 0, "UserFirstLog") == 0){

?>

<script language="javascript">

window.location.href = "changepassword.php";

</script>

<?

 

}

}

?>

<script language="javascript">

window.location.href = "home.php";

</script>

<?

}

else {

?>

<script language="javascript">

alert("Not valid Login");

window.location.href= "login.php";

</script>

<?

}

?>

</body></html>

 

Please help! This is a NFP tutoring website that can't be down!

 

Thanks Freaks,

Aloha

[ManiacDan]

And when you added debug output, what happened?

 

We can't just look at this and figure out what error message is being thrown by mysql.  Make use of mysql_error to figure out why that query is failing.

 

Also, unrelated to the current problem, but you have no security whatsoever.  There's no hashing on your password table and there's not even basic sql injection protection.

[AlohaSD]

Thanks! That's something we should definitely look into.

[ignace]

now it wont allow us to login to admin...

 

That's not true, anyone can login with:

 

username: any existing username followed by ' --

password: whatever, everything will work ^^

 

If you don't know the username, try:

 

username: foobarbat' OR 1 --

password: whatever, again anything will work here ^^

 

Just an example of how you can use sql injection to log into your application with and without a valid username.

 

To figure out why the query is failing change line 12 to:

 

$logSearch=mysql_query($query) or die(mysql_error());