newbie php problem - logging in....

mhasse · January 22, 2008

hi

I have a problem with my code

I get a mysql_fetch_assoc() supplied argument is not a valid MySQL result resource warning when I run my code.

its a basic login page..basi form with username and password.......then it posts to login.php. I open a connection to the db, execute a query and check to see whether a user exists.

this is the login.php code.....

<?php

$user = &_post['username'];

$user = &_post['PASSWORD'];

$connection = mysql_connect("localhost","root","");

$sql = "select * from Admin where AdminUserName = '$user' and AdminPassword = '$pass'";

$result = mysql_query($sql);

$row = mysql_fetch_assoc($result);

if($row('AdminUserName'] == $user && $row['AdminPassword'] == $pass)

{

logged in

}

else

{

invalid user

}

?>

please help me - not sure where I am going wrong - I executed the SQL statement in phpmyadmin?

thanks

Psycho · January 22, 2008

Most likely you have an error in your query. Modify the following line:

$result = mysql_query($sql) or die (mysql_error());

Psycho · January 22, 2008

Oh, here's most likely your problem:

$user = &_post['username'];
$user = &_post['PASSWORD'];

Shouldn't that 2nd variable be named $pass???

rhodesa · January 22, 2008

<?php
  $user = $_POST['username'];
  $pass = $_POST['PASSWORD']; //Are you sure you want uppercase PASSWORD here?

  $connection = mysql_connect("localhost","root","")
    or die("FAILED TO CONNECT TO DATABASE");

  $sql = "SELECT * FROM `admin` WHERE `AdminUserName` = '".mysql_real_escape_string($user)."' LIMIT 1";
  $result = mysql_query($sql)
    or die("Query error: ".mysql_error());
  $row = mysql_fetch_assoc($result);

  //Test password here instead of in query
  if(strcmp($pass,$row['AdminPassword']))
    die("Invalid Password");

  //Continue here
?>

awpti · January 22, 2008

<?php

$user = $_POST['username'];
$pass = $_POST['PASSWORD'];

$connection = mysql_connect("localhost","root","");

$sql = "select * from Admin where AdminUserName = '{$user}' and AdminPassword = '{$pass}'";

$result = mysql_query($sql);

if(mysql_num_rows($result) == 1)
{
  //show admin page
}
else
{
  //go away
}

/* the below logic is worthless, it's covered in your query. */
if($row('AdminUserName'] == $user && $row['AdminPassword'] == $pass)
{

}

Try that.

rhodesa · January 22, 2008

$sql = "select * from Admin where AdminUserName = '{$user}' and AdminPassword = '{$pass}'";

This query is VERY insecure. Please stick to at least the query section of the code I posted.

awpti · January 22, 2008

Easiest fix:

<?php
$user = mysql_real_escape_string($_POST['username']);
$pass = mysql_real_escape_string($_POST['password']);
?>

mhasse · January 22, 2008

hi there thanks for your help, I will give it a try and let you guys know if it worked. I am very new to PHP and have literally just picked up a book last weekend.

Thanks again.

Sign In

newbie php problem - logging in....

Recommended Posts

mhasse

Link to comment

Share on other sites

Psycho

Link to comment

Share on other sites

Psycho

Link to comment

Share on other sites

rhodesa

Link to comment

Share on other sites

awpti

Link to comment

Share on other sites

rhodesa

Link to comment

Share on other sites

awpti

Link to comment

Share on other sites

mhasse

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Important Information