0

Im novice to php. I am trying to make user authentication form in php. Here is my code:

HTML:

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" 
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>ORMS Login Form</title>
</head>
<body>
<form method="post" action="validate_login.php" >
    <table border="1" >
        <tr>
            <td><label for="user_name">Username</label></td>
            <td><input type="text" 
              name="user_name" id="user_name"></td>
        </tr>
        <tr>
            <td><label for="pass">Password</label></td>
            <td><input name="pass" 
              type="password" id="pass"></input></td>
        </tr>
        <tr>
            <td><input type="submit" value="Submit"/>
            <td><input type="reset" value="Reset"/>
        </tr>
    </table>
  </form>
  </body>
 </html>

Validate_login.php:

<?php

// Grab User submitted information    
 $name = $_POST["user_name"];
 $pass = $_POST["pass"];

 // Connect to the database
 $con = mysql_connect("localhost","root","");
   // Make sure we connected succesfully
 if(! $con)
 {
   die('Connection Failed'.mysql_error());
  } 

    // Select the database to use
    mysql_select_db("orms",$con);

    $result = mysql_query("SELECT user_name, pass FROM waiterAccount where user_name=$name"); //LINE 20

  $row = mysql_fetch_array($result);

    echo $row["user_name"]."  ".$row["pass"]."<br>";

    if($row["user_name"]==$name && $row["pass"]==$pass)
      echo"You are a validated user.";
    else
        echo"Sorry, your credentials are not valid, Please try again.";
   ?>

Output is:

Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in C:\xampp\htdocs\orms\validate_login.php on line 20

Sorry, your credentials are not valid, Please try again.

Im not getting why error is coming coz when i run the line 20 query in my database it runs fine.

user2696258
  • 1,121
  • 2
  • 14
  • 25
  • The mysql_ functions are deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQL extension should be used. Says so in the docs: http://www.php.net/manual/en/function.mysql-query.php – developerwjk Mar 21 '14 at 23:10
  • Does the pass match also? You dont have that in query. – mathius1 Mar 21 '14 at 23:16
  • ok but when I remove the "where" contidion from that query it always gives the data of first row and works fine, so it means the problem now is with code not the functions I guess. And mysqli_query() also gives same error. – user2696258 Mar 21 '14 at 23:17
  • @mathius Im checking afterwards in if. I want the data of that user later ill check the password – user2696258 Mar 21 '14 at 23:20
  • @Rottingham: What do mean by error checking how to do it , by having print statments?? – user2696258 Mar 21 '14 at 23:25
  • This is for learning purposes only, *I hope* <= **?** – Funk Forty Niner Mar 21 '14 at 23:33

5 Answers5

1

I believe your $name variable needs to be enclosed in single quotes.

"SELECT user_name, pass FROM waiterAccount where user_name='$name'"
Funk Forty Niner
  • 74,372
  • 15
  • 66
  • 132
Peter Nosko
  • 955
  • 1
  • 8
  • 10
0

Are you sure you dont need single quotes for the user_name field? What about the password? Maybe that is not a match

$result = mysql_query("SELECT user_name, pass FROM waiterAccount where user_name='$name'"); //LINE 20

Also you should sanitize your query

$query = "SELECT user_name, pass FROM waiterAccount where user_name='%s' and pass='%s'";
$query= sprintf($query,
    mysql_real_escape_string($name),
    mysql_real_escape_string($pass),
)
$result = mysql_query($query); //LINE 20
mathius1
  • 1,371
  • 11
  • 16
0
For SELECT, SHOW, DESCRIBE, EXPLAIN and other statements returning resultset, mysql_query() returns a resource on success, or FALSE on error.

So your mysql_query is returning a boolean. That's because your SQL failed. Try adding 

 or die(mysql_error());

So it becomes:

$result = mysql_query("SELECT user_name, pass FROM waiterAccount where user_name=$name") or die(mysql_error());

Then you should get the error from the database query.

Ronnie Jespersen
  • 950
  • 1
  • 9
  • 22
0

I see a few problems here.

  • You are using mysql_ methods which are completely deprecated
  • You are not using any form of error checking, which leaves you prone to frustrating problems.
  • You are not putting single quotes around your query NAME = 'VALUE' fields.
  • You are embedding (injecting) (Search: SQL Injection) values directly into the query, which you can clean up manually, but when switching to mysqli_ and PDO methodology, you'll use parameter binding which will help this problem.

Every Mysql_ documentation page displays a big red box. Globally known as a warning. http://us2.php.net/manual/en/function.mysql-connect.php

Error Checking

This is so important!

$result = mysql_query('SELECT * FROM `someTable');
if (!$result) {
    die(mysql_error());
}

// If you made it this far, the query did not have errors
$row = mysql_fetch_array($result);

You will spin helplessly without some form of error checking. The above query string has an semi-obvious error in it, which you will catch if you use error checking.

You need to single-quote your field values

In other words, when you use a field name = value reference, single quote the value.

SELECT * FROM `someTable` WHERE `id` = '$id'

You shouldn't directly inject values like this if they are coming from a post/get user input/form scenario.

Rottingham
  • 2,523
  • 1
  • 11
  • 14
0

One important thing here about security:

NEVER read password from the database !

..just check if there are results for user AND pass

So insted of:

SELECT user_name, pass FROM waiterAccount WHERE user_name=$name

do one of these:

SELECT COUNT(*) FROM waiterAccount WHERE user_name='foo' AND pass='bar'
SELECT TRUE FROM waiterAccount WHERE user_name='foo' AND pass='bar'
SELECT 'I LIKE THIS MAN' FROM waiterAccount WHERE user_name='foo' AND pass='bar'
SELECT user_role FROM waiterAccount WHERE user_name='foo' AND pass='bar'
pawel7318
  • 3,123
  • 1
  • 25
  • 42
  • *"do one of these"* --- Not without quotes around `WHERE` clause variables. *Plus*, quotes around `'I LIKE THIS MAN'`? – Funk Forty Niner Mar 21 '14 at 23:41
  • This is not php code here - those are only the queries which you should prepare the way someone else adviced here already – pawel7318 Mar 21 '14 at 23:42
  • but you're right - let's avoid confuses. I just remove all variables from it – pawel7318 Mar 21 '14 at 23:45
  • You need to set a proper example and give a better explanation when giving answers; the more the better ;-) – Funk Forty Niner Mar 21 '14 at 23:45
  • When doing a `SELECT` from particular columns and/or tables, either not putting quotes or using backticks is required, not quotes. – Funk Forty Niner Mar 21 '14 at 23:46
  • Do **none** of these. That's arguably worse than reading the password from the database - get an SQL injection in the `username = 'foo'` part and you can bypass password checking entirely. Just use salted hashes of the password rather than the password itself - retrieve them and evaluate them in the application. – CD001 Mar 22 '14 at 00:17
  • One more time - those queries are **NOT** php code. A few other guys already adviced to take care of propper input escaping and filtering. It's different on mysqli_ and PDO so I don't repeat this topic here. I added one thing which was missing as everybody else made `SELECT pass` on their examples which is bad. The way you encrypt your password is another subject and should be done outside php as well. The only pleace where passwords should be is database and should never be sent outside. – pawel7318 Mar 22 '14 at 00:31