Page 1 of 1

Catchable fatal error???

Posted: Tue Mar 17, 2009 12:17 pm
by mrjtfool
pickle | Please use [ code=php ], [ code=text ], etc tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: :arrow: Posting Code in the Forums to learn how to do it too.


Hi I am having trouble with on of my PHP scripts.

The script is meant to use a username and password entered from a HTML form to then assign session variables that can be used during the user's time on my website.

Here's the code:

Code: Select all

<?php
 
session_start();
//These variable are from previous script that takes the user's username,password from a form
$username = $_POST["username"]; 
$password = $_POST["password"];
//Connect to database
$mysqli = mysqli_connect("localhost", "myusername", "mypassword", "mydatabase");
//If it fails then this tells me why
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
} else {
//Run query 
    $sql = "SELECT username FROM login WHERE username ='$username' AND password ='$password'";
//Saves result as variable $username    
    $username = mysqli_query($mysqli, $sql)
                 or die(mysqli_error($mysqli));
//Run query this is the query it has trouble with                
    $sql = "SELECT password FROM login WHERE username ='$username' AND password ='$password'";
//Save result as variable $password 
    $password = mysqli_query($mysqli, $sql)
                 or die(mysqli_error($mysqli));
//Run query
    $sql = "SELECT access_level FROM login WHERE username ='$username' AND password ='$password'";
//Saves result as variable $accesslevel 
    $accesslevel = mysqli_query($mysqli, $sql)
                 or die(mysqli_error($mysqli));
//Run query              
    $sql = "SELECT branch FROM login WHERE username ='$username' AND password ='$password'";
//Saves result as variable $branch 
    $branch = mysqli_query($mysqli, $sql)
                 or die(mysqli_error($mysqli));
//Ensures the password entered exists in database    
    $check = mysqli_num_rows($password);
    if ($check==1){
//Creates 4 session variables that are used throughout the user's session
        $_SESSION['username'] = $username;
        $_SESSION['password'] = $password;
        $_SESSION['access_level'] = $accesslevel;
        $_SESSION['branch'] = $branch;
        header("location:home.php");    
    }
//Otherwise tell them they have the wrong username and password
    else {
        echo "Wrong username or password";
        ?><br></br><a href="login.html">Go Back</a><?
    }   
//Close MySQL connection    
    mysqli_close($mysqli);
}
?>
Thing is I keep getting this same error message appear which I've never seen before:
Catchable fatal error: Object of class mysqli_result could not be converted to string in log_user_in.php on line 20

It seems to be pointing towards my second SQL statement in the above code but I can't see why that's affected but the one above it is fine??

Any help would be most appreciated on this topic.

Thanks in advance!!


pickle | Please use [ code=php ], [ code=text ], etc tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read: :arrow: Posting Code in the Forums to learn how to do it too.

Re: Catchable fatal error???

Posted: Tue Mar 17, 2009 3:00 pm
by pickle
I have no idea why you're doing what you're doing.

1) There's no need to do 3 separate queries. All three of those fields can be retrieved in one query
2) Why are you bothering to retrieve the username and password anyway? The password shouldn't ever be needed after the initial login, and the username was already given to you by the user.
3) You should really escape $username and $password before putting them in a query.
4) mysqli_query returns a result set, not a string - you can't use mysql_query to retrieve the username,password,and access_level like that.