PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
[text]Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in dologin.php on line 15[/text]
Ive tried a few things and cant get around the mysql_num_rows for some reason. Also, is there a way to call for a header at the top and choose which header I want to use? or would that require a different code?
//good practice to check if query failed or not
$sql = "
SELECT *
FROM users
WHERE `user` = '". mysql_real_escape_string($user) ."'
AND `pass` = '". mysql_real_escape_string($pass) ."'
AND `auth` = '1'
";
$loggedin = mysql_query($sql) or die(mysql_error());
Notice my usage of mysql_real_escape_string()? This is absolutely critical you escape all user input, otherwise they can manipulate the query with SQL injection.
But the reason your query failed is because you are delimiting your WHERE clause with commas, when it should be logical operators, i.e.,
$sql = mysql_query("SELECT * FROM users WHERE user = '" . mysql_real_escape_string($_POST['user']) . "' and (pass = '" . mysql_real_escape_string(md5($_POST['pass'])) . "' and auth = '1'");
Give me this error?
[text]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
[/text]
stats on the server are..
Apache version 2.2.16
PHP version 5.2.16
MySQL version 5.1.47-community-log
$sql = mysql_query("SELECT * FROM users WHERE user = '" . mysql_real_escape_string($_POST['user']) . "' and (pass = '" . mysql_real_escape_string(md5($_POST['pass'])) . "' and auth = '1'");
Give me this error?
[text]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
[/text]
you will want to remove the bracket from in front of "pass", and put the md5 before the mysql_real_escape_string so that you get the MD5 of the escaped string, not the escaped version of the md5 version of the string!
$sql = mysql_query("SELECT * FROM users WHERE user='" . md5(mysql_real_escape_string($_POST['user'])) . "' AND pass='" . mysql_real_escape_string($_POST['pass']) . "' AND auth='1'");
$user = mysql_real_escape_string("$_POST[user]");
$pass = md5(mysql_real_escape_string("$_POST[pass]"));
$sql = mysql_query("SELECT * FROM users WHERE user='$user' AND pass='$pass' AND auth='1'");
<?php
// Inialize session
session_start();
// Include database connection settings
include('config.inc.php');
$user = mysql_real_escape_string("$_POST[user]");
$pass = md5("$_POST[pass]");
// Retrieve username and password from database according to user's input
mysql_select_db($dbname, $con) or die("Unable to select database");
$sql = mysql_query("SELECT * FROM users WHERE `user` ='$user' AND `pass`='$pass' AND `auth` = 'a'");
$loggedin = $sql;
// Check username and password match
if (mysql_num_rows($loggedin) == 1) {
// Set username session variable
$_SESSION['user'] = $user;
// Jump to secured page
header('Location: site.php');
}
else {
// Jump to login page
header('Location: index.php');
}
?>
alright, now the page acts like it does something but doesnt jump to the site and stays at the index page when I know the values are correct
any other ideas?
I echo the $sql and I get Resouce id #3