0

Hey all im currently trying to test a login verification php script for an app that I am making. my issue is that when i run mysql_query it returns false(I assume) and I can't seem to figure out why. I ran the same sql statement on my phpMyAdmin account and works just fine. Here is my code:

<php
ini_set('display_errors', 1);
error_reporting(E_ALL);

$link = mysql_connect("address", "username", "password") or die("Could not connect");


mysql_select_db(""logininfo,$link) or die("Could not select database");


$sql = "SELECT * FROM 'Users'  WHERE 'Email' = '$_POST[Email]' AND              'Password'='$_POST[Password]'";

$result = mysql_query($sql,$link);

if ($result == False){
echo" error here";
}
echo $result;

$numrows = mysql_result($result,0,0);


if ($numrows == 0) {
        echo 'Login failed';
}
echo "login success";

?>

also note that when I run mysql_result() it returns an error message stating that: " mysql() expects paramater 1 to be resource, boolean given." so i am 85% sure that the error lies in $result but I do not know how to fix it. thank you

Mark Thompson
  • 1
  • 3

3 Answers3

3

SQL injection attack and incorrect quoting in your queries:

$sql = "SELECT * FROM 'Users'  WHERE 'Email' = '$_POST[Email]' AND              
                      ^-----^--- should be `, not '

Fields should be quoted with backticks, never '. ' turns them into strings.

MySQL could have told you this:

if ($result === false) {
   die(mysql_error());
}
Marc B
  • 348,685
  • 41
  • 398
  • 480
  • Thank you for the reply I had no idea thank you – Mark Thompson Apr 24 '14 at 18:19
  • For that matter, you don't need to quote your field names except in rare cases. Better to just not quote the field or table names at all. – Andy Lester Apr 24 '14 at 18:20
  • Indeed. The only time you need to backtick-quote a field or table name is if the name is otherwise invalid (e.g. has spaces or other 'illegal' characters in it), or is an SQL reserved word. – Marc B Apr 24 '14 at 18:25
1

In mysql

SELECT * FROM 'Users'

is invalid statement.

It should be

SELECT * FROM `Users`

or

SELECT * FROM Users

Backticks are usually used to avoid the conflict while using any reserved keywords.

Abhik Chakraborty
  • 43,914
  • 5
  • 48
  • 61
0

There are a few problems with your code (I'm not firing shots, just pointing out the errors)

1) <php should be <?php at the beginning of the script.

2) mysql_select_db(""logininfo,$link) is incorrect, I think you mean mysql_select_db("logininfo",$link)

3) $sql = "SELECT * FROM 'Users' WHERE 'Email' = '$_POST[Email]' AND 'Password'='$_POST[Password]'"; has a couple problems. 'Users' 'Email' and 'Password' should be enclosed by back-ticks or not quoted.

$sql = "SELECT * FROM Users  WHERE `Email` = '$_POST[Email]' AND              Password='$_POST[Password]'";

Email is enclosed in backticks and Users and Password are not, both ways are perfectly valid and acceptable. Backtick quoting the names isn't required, but it is when the column, database, or table name has invalid characters or is a reserved keyword.

4) As a side note, you should move to MySQLi or PDO with prepared statements, although with MySQLi you could essentially keep the same code, using mysqli_ instead of mysql minus the few functions that change. mysql_ is deprecated in recent versions of PHP (I think it starts with PHP 5.5 ), and with using prepared statements you'll protect yourself against SQL injection, which is very important.

BrotherBallan
  • 359
  • 2
  • 6