0

I know I can connect to the database. I had checked it before I revised my code.

When the admin logs in I want to redirect to tableedit.php but if the user is not the admin I want to redirect to tableuser.php.

This is the error:

Warning: mysql_fetch_array() expects parameter 1 to be resource, string given in C:\xampp\htdocs\joy\inventory\login.php on line 47 Query failed

Here's the code:

//Create query
$qry="SELECT * FROM user WHERE username='$username' AND password='".md5($_POST['password'])."'";

while($row=mysql_fetch_array($qry));

$result = $row['username'];
{
//Check whether the query was successful or not
if($result) {
    if(mysql_num_rows($result)== 'admin'){
        session_regenerate_id();
        $member = mysql_fetch_assoc($result);
        $_SESSION['SESS_MEMBER_ID'] = $member['id'];
        $_SESSION['SESS_FIRST_NAME'] = $member['username'];
        $_SESSION['SESS_LAST_NAME'] = $member['password'];
        session_write_close();
        header("location: tableedit.php");
        exit();
    }
    elseif(mysql_num_rows($result) != 'admin') {
        //Login Successful   
        session_regenerate_id();
        $member = mysql_fetch_assoc($result);
        $_SESSION['SESS_MEMBER_ID'] = $member['id'];
        $_SESSION['SESS_FIRST_NAME'] = $member['username'];
        $_SESSION['SESS_LAST_NAME'] = $member['password'];
        session_write_close();
        header("location: tableuser.php");
        exit();
    } else {
        //Login failed
        $errmsg_arr[] = 'Username and password not found.';
        $errflag = true;
        if($errflag) {
            $_SESSION['ERRMSG_ARR'] = $errmsg_arr;
            session_write_close();
            header("location: index.php");
            exit();
        }
    }
} else {
    die("Query failed");
}}
RiggsFolly
  • 89,708
  • 20
  • 100
  • 143
cring
  • 1
  • Quite frankly the code is a complete mess. Before you ask for help, try reading the php manual http://php.net/docs.php – RiggsFolly Sep 26 '13 at 19:05

3 Answers3

0

You should first do mysql_query and put the result in an array. After this:

   $qry="SELECT * FROM user WHERE username='$username' AND
         password='".md5($_POST['password'])."'";

Do this:

$result = mysql_query($qry);

Next,

 while($row = mysql_fetch_array($result)){
    // stuff
    }

Furthermore, it is recommended you use salt with md5 for good security. To further add, You can use sha1 for even better security

Sasanka Panguluri
  • 2,949
  • 4
  • 29
  • 51
0

mysql_fetch_array expects a MySQL resource as a parameter. resource is returned from mysql_query, so it should be 

$qry = 'YOUR QUERY';
$res = mysql_query($qry);
while ($row = mysql_fetch_array($res))

and... mysql_num_rows will never return 'admin' (it returns integer, number of rows in given resource), so you'll be always redirected to tableuser.php

and in this case you dont't need "elseif", "else" would be great here :)

and, why mysql_* functions? try PDO :)

kao3991
  • 402
  • 2
  • 8
0

There are a number of problems with your code... A lot of the mysql_* functions don't work the way you seem to think that they do, what resources are you using to learn from?

For most php functions you can visit: http://php.net/FUNCTION_NAME

Examples:

  1. http://php.net/mysql_query
  2. http://php.net/mysql_num_rows
  3. http://php.net/mysql_fetch_array

Code

The following code should get you started. You can add all of the $_SESSION stuff in the relevant places (see comments).

$password = md5($password);
$qry= mysql_query("SELECT * FROM user WHERE username='$username' AND password='$password'");
if(mysql_num_rows($qry)){
    while($row = mysql_fetch_array($qry)){
        if($row['uername'] == 'admin'){
            //The user IS the admin
            header('location:tableedit.php');
        }
        else{
            //The user is NOT admin
            header('location:tableuser.php');
        }
    }
}
else{
    //Login failed
    header('location:/');
}

exit; //Only need this once at the end

mysqli::

I strongly suggest that you also consider changing to mysqli (or PDO)... The following would get you started if you were to do that:

$mysqli = new mysqli('localhost', 'USERNAME', 'PASSWORD', 'DATABASE'); //Replace USERNAME, PASSWORD, DATABASE to the actual database username etc.

$password = md5($password);
$qry= $mysqli->query("SELECT * FROM user WHERE username='$username' AND password='$password'");
if($qry->num_rows){
    while($row = $qry->fetch_assoc()){
        if($row['uername'] == 'admin'){
            //The user IS the admin
            header('location:tableedit.php');
        }
        else{
            //The user is NOT admin
            header('location:tableuser.php');
        }
    }
}
else{
    //Login failed
    header('location:/');
}

exit; //Only need this once at the end

For more info check the docs:

  1. http://php.net/mysqli_query
  2. http://php.net/mysqli_num_rows
  3. http://php.net/mysqli_fetch_assoc
  4. http://php.net/mysqli
Steven
  • 5,978
  • 2
  • 14
  • 28