MySQL warning, WHERE clause

Question

Do you have any idea what causes the warning message on this simple bit of code?

if(isset($_POST['remember']))
{
       $query_cookie = ("SELECT id FROM users WHERE email = '$email' OR username = '$username'"); 
       $result_cookie = mysql_query($query);
       $row_cookie = mysql_fetch_array($result_cookie); // LINE 36
       $id = $row_cookie; // Will be hashed before using
       setcookie( "Remember", $id, strtotime( '+30 days' ) ); 
       echo $id;
}

Here is the error that I got:

Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in C:\xampp\htdocs\Signup\includes\login.php on line 36

The other problem that I have concerns my query. Basically I have a login form with three inputs: one for username, one for email, one for password. I want the user to be able to log in with either his username or password. However the query looks kinda weird to me and I wonder if it would work as expected, because the final query will end in something like this:

SELECT id FROM users WHERE email = 'user@host.com' OR username = ''

or the other way around. I guess this query is not fully functional. I'm open to suggestions if you have any.

$id is the same thing as $row_cookie atm because $id will be hashed. Would it be ok if I'd do a simple $id = sha1(md5($row_cookie)); ?

I know that MySQL is depreciated. I'll switch to MySQLi soon enough so no worries there.

As you can see there are actually three questions. If that's a problem please let me know before downrating so I can edit my question. Thanks!

[Don't use mysql_* extension](http://www.php.net/en/mysql_query) as they’re deprecated. Use [PDO](http://php.net/manual/en/book.pdo.php) or [MSQLi](http://php.net/manual/en/book.mysqli.php) instead. — xlecoustillier, Sep 13 '13 at 08:24
_" I'll switch to MySQLi soon enough so no worries there."_ The fact that you're still using the deprecated (and unsafe) extension _is_ a worry. — Elias Van Ootegem, Sep 13 '13 at 08:31
I know. The problem is that many tutorials on the internet and many classes teach the depreciated way. And even if it's a known fact that by the time a material gets put together a small bit of it is obsolate, when you're just starting and see how many depreciated things you learned for nothing it takes a bit of time to switch to the new, better ways. I'm not excusing my use of MySQL, I'm just saying the way it is for most new developers. — SporeDev, Sep 13 '13 at 08:35
@SporeDev: There are many tuts (and examples on this site) of [how to use `PDO` or `MySQLi` already](http://codular.com/php-mysqli), aimed at beginners. I realize there are many old tuts out there, but the deprecation of `mysql_*` was announced in 2009! If you're using `mysql_*`-based tuts, you're using the wrong resources. That's what I meant by my comment. It wasn't meant as a sneer or critique on your person... just letting you know that migrating is harder than learning the right things from the get-go — Elias Van Ootegem, Sep 13 '13 at 08:43
I know. I wasn't taking it personally. I just expressed my concerns regarding the ways PHP is being taught on most sources. Frankly, I tried switching to MySQLi as soon as I learned (from SO) that MySQL is depreciated but that didn't went too well. PDO is a little bit out of my league at the moment, since, as you can see, I'm still struggling with the if and elses. I wanted to ask a question in which I'd post my current mysql_connect file and ask how it would be translated to MySQLi but I was afraid of being marked for duplicate content while I can't find any easy solutions. — SporeDev, Sep 13 '13 at 08:55
@SporeDev: the question you thought about posting is going to be closed in under 10 minutes (duplicate, not a valid SO question, ...). What you could do is post it on code-review, but not without posting your attempts to translate it to `mysqli_*` along side. Still, 9/10 functions work just fine if you change `mysql_*` to `mysqli_*`. Can't see what's so hard about that — Elias Van Ootegem, Sep 14 '13 at 08:34

score 2 · Answer 1 · answered Sep 13 '13 at 08:22

2

Change $query_cookie to $query.

Try:

$result_cookie = mysql_query($query_cookie);

You are referring to $query in your mysql_query() statement. That variable does not exist.

answered Sep 13 '13 at 08:22

Henkealg

1,376
1
15
19

I did that and now I get the following warning: Warning: setcookie() expects parameter 2 to be string, array given in C:\xampp\htdocs\Signup\includes\login.php on line 38 – SporeDev Sep 13 '13 at 08:24
@SporeDev: That's because you're passing `$id`, which is an array, when you should be passing `$id['id']`... – Elias Van Ootegem Sep 13 '13 at 08:32
Ok, I edited that line and now I get a notice: Notice: Use of undefined constant id - assumed 'id' in C:\xampp\htdocs\Signup\includes\login.php on line 37 The id is echoed properly. – SporeDev Sep 13 '13 at 08:41
1

The notice means that you've not quoted the key: `$id['id']`<== quotes, no notice ==> `$id[id]` <== no quotes, notice – Elias Van Ootegem Sep 13 '13 at 08:44

score 2 · Answer 2 · answered Sep 13 '13 at 08:22

from the docs

For SELECT, SHOW, DESCRIBE, EXPLAIN and other statements returning resultset, mysql_query() returns a resource on success, or FALSE on error.

You should always check if the result of your mysql_query call is not false, before trying to extract records from it.

You also are passing the wrong variable to your mysql_query call. your SELECt is in $query_cookie and you are passing $query.

score 1 · Answer 3 · answered Sep 13 '13 at 08:23

1

You made a little mistake:

 $query_cookie = ("SELECT id FROM users WHERE email = '$email' OR username = '$username'"); 
 $result_cookie = mysql_query($query_cookie);
 $row_cookie = mysql_fetch_array($result_cookie);

answered Sep 13 '13 at 08:23

Matheno

3,977
6
33
51

score 1 · Accepted Answer · edited May 23 '17 at 10:25

1

Assuming that the email or username fields are unique and you are rejected possible SQL injection, Try:

if (isset($_POST['remember'])) {
    $query_cookie = ("SELECT id FROM users 
        WHERE email = '$email' OR username = '$username'");
    $result_cookie = mysql_query($query_cookie);
    if ($result_cookie) {
        $row_cookie = mysql_fetch_array($result_cookie);
        $id = $row_cookie['id'];
        setcookie("Remember", $id, strtotime('+30 days'));
        echo $id;
    }
}

After fetching result to get id try: $row_cookie['id'].

I suggest to use bcrypt for hashing. It's an hashing algorithm which is scalable with hardware.

See further information:

edited May 23 '17 at 10:25

Community

1
1

answered Sep 13 '13 at 08:25

Vahid Hallaji

6,676
4
42
49

While all of the answers helped a lot, this is the complete working solution. Please let me know what you think, if there's enough to simply add a md5 and sha1 encryption to the id or not. Thanks! – SporeDev Sep 13 '13 at 08:47
@SporeDev Do you want to implement `remember me` functionality? – Vahid Hallaji Sep 13 '13 at 08:56
@SporeDev I suggest to use `bcrypt` instead, See this answer please: http://stackoverflow.com/a/6337021/1121982 – Vahid Hallaji Sep 13 '13 at 08:59
Yes hallaji. I want to implement the "remember me" functionality. – SporeDev Sep 13 '13 at 09:07
@SporeDev Please check the link that I suggested and also http://stackoverflow.com/a/244907/1121982 – Vahid Hallaji Sep 13 '13 at 09:10
Checked already. Seems like a good solution. Will take some time for me to implement it but I'll do my best and use SO if I have any major problems. Thank you for all the information and help you provided. – SporeDev Sep 13 '13 at 09:16

score 1 · Answer 5 · answered Sep 13 '13 at 08:27

1

Try this:

 change $id = $row_cookie[id]; instead of $id = $row_cookie;

answered Sep 13 '13 at 08:27

Guru

633
1
4
12

plain jane · Answer 6 · 2013-09-13T08:52:30.230

0

Check if records are returned or not.

  if(isset($_POST['remember']))
  {
      $query_cookie = ("SELECT id FROM users WHERE email = '$email' OR username = '$username'"); 
      $result_cookie = mysql_query($query);
      if($result_cookie === FALSE) {
          echo "Could not successfully run query ($query) from DB: " . mysql_error();
          exit;
      }
      $row_cookie = mysql_fetch_array($result_cookie); // LINE 36
      $id = $row_cookie; // Will be hashed before using
      setcookie( "Remember", $id, strtotime( '+30 days' ) ); 
      echo $id;
   }

edited Sep 13 '13 at 08:52

answered Sep 13 '13 at 08:35

plain jane

1,011
1
8
19

why do people abuse `die()`? – itachi Sep 13 '13 at 08:48

MySQL warning, WHERE clause

6 Answers6