Page 1 of 1

mysql query fail

Posted: Fri Apr 20, 2007 8:46 pm
by mevets
I have a database of users. When I try to authenticate users to see if they have provided the correct password I am always thrown an error. I thought the problem was that username and password fields were varchar datatypes in my table, but not so, it still get thrown an error that the result of the query is invalid.

Code: Select all

$dbh = mysql_connect ("localhost", $user, $password);
mysql_select_db ($db);


if ($_POST['btnlogin']) {
	$username = $_POST['username'];
	$password = $_POST['password'];
	$sqlusers = "SELECT * FROM users WHERE username = $username";
	$result = mysql_query($sqlusers) or mysql_error(); //this doesnt ever seem to be a valid mysql resource.
	if (!mysql_num_rows($result) or mysql_error()) { // this is line 20
		echo 'There are no users registered.';
		die();
	}
	
	$userinfo = mysql_fetch_assoc($result);
	echo 'Thank you for logging in ' . $userinfo['username'];
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/workspace/notes/login.php on line 20

Anyone have a clue as to whats up?

Posted: Fri Apr 20, 2007 8:56 pm
by John Cartwright
1. Always pass user input through mysql_real_escape_string()
2. You need to quote $username, ... username = '$username'

Posted: Sat Apr 21, 2007 6:43 pm
by mevets
thank you, worked well!