msqli is it wrong

[ecabrera]

OK so i cant log in i make it only to

 

 

if($num_rows != 1){
 

my username and password are right but i keep getting user does not exist 

i dont get erros only warnning undiefiend index but thats not probelm

<?php
error_reporting(E_ALL);
ini_set('display_errors', '1');
	//start the sessoin
	session_start();
	
	//connect to db
	require "scripts/db.ini.php";
	
	$username = mysqli_real_escape_string($db,$_POST['username']);
	$password = mysqli_real_escape_string($db,$_POST['password']);

	if(isset($_POST['loginbtn'])){

	if($username && $password){
	
	//sql command
	$getstaff = "SELECT * FROM `staff` WHERE `username` = '$username'";
	
	//execute the query 
	$query = mysqli_query($db,$getstaff);
	
	//get the number of rows
	$num_rows = mysqli_num_rows($query);
	
	if($num_rows != 1){
	
	//get the info
	$rows = mysqli_fetch_assoc($query);
	
	//setting the data in indivaul variables
	$dbusername = $rows['username'];
	$dbpassword = $rows['password'];
	
	//getting the password the user enter and making it hash
	//in order for it to match in the database
	$password = md5('$password');
	
	if($dbusername === $username && $dbpassword === $password){
	
		//create the session
		$_SESSION['username'] = $usersession;
		//redircet them to the control panel
		header("location: controlpanel.php");
	
	}else
		$msg = "Please check your username or password";
	}else
		$msg = "User does not exist";
	}else
		$msg = "Please enter your username and password";
	}
?>

 

 

 

[teynon]

If you run the query in the database, what does it return

[ecabrera]

It returns that user i'm trying to log in as

[teynon]

echo $num_rows;

[teynon]

Let me see if I can teach a man (or woman) to fish today.

 

You know that it isn't getting into the if statement. In order to get into the if statement, what conditions must be true?

$num_rows != 1 ($num_rows must be less than or greater than 1)

 

So, if there is a username, how many results will be returned?

[ecabrera]

ok i echo my  num_rows and got 1 so i change the it to this $num_rows != 0 

but know its saying to check my 

 

if($username && $password)
 

[teynon]

Ok, so let's apply the same logic.

 

What are the conditions for $username && $password?

 

How can you tell if those conditions are met? You need to know what is in those variables, correct? So let's output those to the page so you can see them.

[ecabrera]

well in $username && $password im checking to see if the fields in the form are not empty. 

[teynon]

Ok, so if you output those variables, what does it output to the browser?

 

And when you check it like if ($var), you are checking if it is true or false. You should try using if (!empty($var)) this will be more descriptive of what you are doing when you read it.

 

I could probably solve this quickly for you, but I think it's better if you learn how to debug it, which is why I'm giving you these questions.

[Jessica]

md5('$password'); is the hash of the LITERAL STRING '$password'. Not the value contained in $password.

 

I don't get why this has to be said a dozen times a week. Who is teaching put everything in a string anyway?

[ecabrera]

OK i fixed it it had something to due with my sessions and how they were set up

 

 

teynon Thanks for your help 

 

Jessica sorry if i cant be as good as you and know stuff right away

[teynon]

Jessica, your posts make me smile sometimes. When you fix the message that Jessica has stated and it's still not logging in, try applying the logical steps as I've been trying to tell you. I can identify another issue with your session variable as well.

 

--- Edit: Simultaneous post. As for your comment on Jessica, no need to get all defensive. The point is that a lot of questions get posted here and they are not very well formed or miss several basic steps in debugging. You should look through some of the links in your signature such as how to ask questions and debugging your code. Asking other users to debug your code everytime something doesn't work isn't helping you become better at developing. Being a good developer means that you can debug your own code. Only after you have attempted to debug it, do you ask a question.

Edited March 5, 2013 by teynon

[Jessica]

OK i fixed it it had something to due with my sessions and how they were set up

 

 

teynon Thanks for your help 

 

Jessica sorry if i cant be as good as you and know stuff right away

Uhm, the problem has NOTHING to do with sessions. You're comparing every password in your DB to '$password'.

Which, if your registration code has the same problem... anyone can login with any password.

 

 

My question was a sincere one. Why did you put a variable inside a string, for no apparent reason? think critically about everything you do. If you can't explain what every single character is for, learn what it does and you'll become better.

[johnsmith153]

I think somebody just needs to point out that...

 

md5('$password')

...is obviously not what he wanted to do.

 

I don't think he did it for any reason and I don't think the discussion in this post will actually help him.

 

I think pointing out that the above line of code is very different to any of these will help:

 

 

md5($password)
md5('{$password}')
md5("$password")

 

In other words a variable can't be placed inside single quotes. It must be double quotes or enclosed by curly brackets.

 

I understand not giving him the answer straight away and it helps to find the answer yourself, but in this case I think you all toyed with him a little too much.

[Christian F.]

johnsmith: You might want to read the thread a bit closer the next time, Jessica has already pointed that out.

[trq]

It must be double quotes or enclosed by curly brackets.

Curly braces make no difference. Variables are not interpolated within single quotes . Full stop.

[johnsmith153]

johnsmith: You might want to read the thread a bit closer the next time, Jessica has already pointed that out.

...and I was elaborating on it. I don't think he understood though as he then commented on something to do with sessions. I just made it clearer. Where's the problem in that?

 

Curly braces make no difference. Variables are not interpolated within single quotes . Full stop.

Apologies. Thanks for pointing it out. Christian obviously missed that too.

[teynon]

There was an issue with his session variable as well. He was assigning $usersession instead of $username. I don't want to just give people simple answers anymore. For example in this post: http://forums.phpfreaks.com/topic/275257-php-echo-numbering/ where the poster obviously hasn't tried anything. The point is, these type of questions are failing at simple debugging. Just giving them the answer will solve their current problem, but only teaches them to come back here next time they debug. "Give a man a fish feed him for a day. Teach a man to fish, feed him for life."

[KevinM1]

md5('$password'); is the hash of the LITERAL STRING '$password'. Not the value contained in $password.

 

I don't get why this has to be said a dozen times a week. Who is teaching put everything in a string anyway?

 

Not to mention that md5 should never be used for passwords as it's insecure.

[Jessica]

I don't think he did it for any reason

Exactly. That's my point. If he's going to (subtly) complain that he doesn't know enough to fix it, I'm explaining how to get better and learn.

 

If you're randomly throwing things at the keyboard your code won't work. There should be a reason for everything you do.

 

It also was a very sincere question about WHY people do this, because it's a newbie thing to do that I just plain don't understand. Literally several times a week someone posts on here and at least part of their problem is a variable in a literal string. For a few weeks I had a rant about it in my signature, it's so prevalent.

I want to know *what* site, book, tutorial, etc, is leading people to believe they should a. put variables in strings when they have no other text to add, and b. use single quoted strings for variables. So I can hunt it down and squish it.

[Jessica]

There was an issue with his session variable as well. He was assigning $usersession instead of $username.

Good point.

 

The fact that changing that "fixed" the problem makes me much more sure he has the same '$password' issue in other places, otherwise he should have not been logged in at this point.