0

I just started PHP linked to MySQL and I got a really annoying problem. The complete warning on my server says:

Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in DIRECTION REMOVED BY ME on line 20 Wrong Username or Password

I am pretty sure the Password or Username is not wrong, it's just the If/else which will give this as a result. So here is the php file which will be called when pressing the login button.

CODE HERE: http://pastie.org/private/tqubwhlha0wcyiotkgzeyg

So why does this happen?

Michael Irigoyen
  • 21,897
  • 17
  • 84
  • 130
Maxim Tan
  • 1
  • 1
  • As per a few kajillion dupes on this site: Your query has failed. You blindly assumed success, your clonde blundered on ahead, and now it's broken. – Marc B Jun 05 '13 at 17:38
  • 1) Please add your code to the question, not on a third party site. 2) That error means that your query has failed. Why don't you add an `or die(mysql_error);` at the end of the query line. 3) You shouldn't be using `mysql_`functions any more; they're deprecated. 4) Your query is looking for `$email` and `$password` - $email isn't set, and $password is your database connection password - I think you mean `$myusername` and `$mypassword` – andrewsi Jun 05 '13 at 17:40
  • Oh, and you really shouldn't be storing user's passwords in plaintext. – andrewsi Jun 05 '13 at 17:40
  • oh yes sure, I DO know i will not store them in plaintext, I will use MD5 or sha-256, this was just a test. – Maxim Tan Jun 05 '13 at 17:42
  • @MaximTan - oh, and you don't set `$users` anywhere, either; so your query is going to fail. You really shouldn't assume that it'll work - you should always check the return value and react accordingly. – andrewsi Jun 05 '13 at 17:50
  • And: Once you have inited a session, there's no need to actually store anything but the users internal ID (not his login name, nor his password, nor anything else) in the session. – Axel Amthor Jun 05 '13 at 17:57

1 Answers1

0
$myusername=mysql_real_escape_string($_POST['email']);
$mypassword=mysql_real_escape_string($_POST['password']);

$sql="SELECT * FROM $users WHERE email='$email' and password='$password'";
$result=mysql_query($sql);

you probably want $mypassword isntead of $password and instead of $email (which is not even set) you have it as $myusername

The functions you are using are deprecated, have a look at this. Also, (heads up) you really shouldn´t store the password (even less if it´s plain text!!) in the session, have a look.

Community
  • 1
  • 1
Chayemor
  • 3,458
  • 4
  • 29
  • 50
  • Thank you very much, this helped me. I really do agree with you, seeing that there is no security in this Script, but as this was just a test, I will change it later. What I still don't quite get is why these functions are deprecated, I read about DPO, but I don't get anything about this. – Maxim Tan Jun 05 '13 at 17:58
  • Its state is only under maintainance (it won´t grow or become better, plus it's vulnerable to attacks like sql injection, forcing you to sanitize even more than when using mysqli), it´s no longer active and won´t even be in the next PHP versions, if you want your project to be escalable it´s better to use the APIs that will allow it and not the ones that are no longer active. – Chayemor Jun 06 '13 at 10:40