mhasse Posted January 22, 2008 Share Posted January 22, 2008 hi I have a problem with my code I get a mysql_fetch_assoc() supplied argument is not a valid MySQL result resource warning when I run my code. its a basic login page..basi form with username and password.......then it posts to login.php. I open a connection to the db, execute a query and check to see whether a user exists. this is the login.php code..... <?php $user = &_post['username']; $user = &_post['PASSWORD']; $connection = mysql_connect("localhost","root",""); $sql = "select * from Admin where AdminUserName = '$user' and AdminPassword = '$pass'"; $result = mysql_query($sql); $row = mysql_fetch_assoc($result); if($row('AdminUserName'] == $user && $row['AdminPassword'] == $pass) { logged in } else { invalid user } ?> please help me - not sure where I am going wrong - I executed the SQL statement in phpmyadmin? thanks Quote Link to comment Share on other sites More sharing options...
Psycho Posted January 22, 2008 Share Posted January 22, 2008 Most likely you have an error in your query. Modify the following line: $result = mysql_query($sql) or die (mysql_error()); Quote Link to comment Share on other sites More sharing options...
Psycho Posted January 22, 2008 Share Posted January 22, 2008 Oh, here's most likely your problem: $user = &_post['username']; $user = &_post['PASSWORD']; Shouldn't that 2nd variable be named $pass??? Quote Link to comment Share on other sites More sharing options...
rhodesa Posted January 22, 2008 Share Posted January 22, 2008 <?php $user = $_POST['username']; $pass = $_POST['PASSWORD']; //Are you sure you want uppercase PASSWORD here? $connection = mysql_connect("localhost","root","") or die("FAILED TO CONNECT TO DATABASE"); $sql = "SELECT * FROM `admin` WHERE `AdminUserName` = '".mysql_real_escape_string($user)."' LIMIT 1"; $result = mysql_query($sql) or die("Query error: ".mysql_error()); $row = mysql_fetch_assoc($result); //Test password here instead of in query if(strcmp($pass,$row['AdminPassword'])) die("Invalid Password"); //Continue here ?> Quote Link to comment Share on other sites More sharing options...
awpti Posted January 22, 2008 Share Posted January 22, 2008 <?php $user = $_POST['username']; $pass = $_POST['PASSWORD']; $connection = mysql_connect("localhost","root",""); $sql = "select * from Admin where AdminUserName = '{$user}' and AdminPassword = '{$pass}'"; $result = mysql_query($sql); if(mysql_num_rows($result) == 1) { //show admin page } else { //go away } /* the below logic is worthless, it's covered in your query. */ if($row('AdminUserName'] == $user && $row['AdminPassword'] == $pass) { } Try that. Quote Link to comment Share on other sites More sharing options...
rhodesa Posted January 22, 2008 Share Posted January 22, 2008 $sql = "select * from Admin where AdminUserName = '{$user}' and AdminPassword = '{$pass}'"; This query is VERY insecure. Please stick to at least the query section of the code I posted. Quote Link to comment Share on other sites More sharing options...
awpti Posted January 22, 2008 Share Posted January 22, 2008 Easiest fix: <?php $user = mysql_real_escape_string($_POST['username']); $pass = mysql_real_escape_string($_POST['password']); ?> Quote Link to comment Share on other sites More sharing options...
mhasse Posted January 22, 2008 Author Share Posted January 22, 2008 hi there thanks for your help, I will give it a try and let you guys know if it worked. I am very new to PHP and have literally just picked up a book last weekend. Thanks again. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.