0

I have a following code, which is supposed to get a row with the identifier (name):

 <?php
        include "constants.php";
        $namee=$_POST['name'];
        $passw=$_POST['password'];
        echo $namee."<br>";
        echo $passw."<br>";
        $databaseconnection=mysqli_connect("",dbuser,userpassword,"db");
        $res=mysqli_query($databaseconnection,"SELECT Identifier,Password FROM accounts WHERE Identifier=$namee");
        while($row=mysqli_fetch_array($res))
        {
            print_r($row);
        }

    ?>

The error I get is "Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in C:\Xampp\htdocs\tests\loginlogic.php on line 15" which means there is no such record. I suppose "SELECT Identifier,Password FROM accounts WHERE Identifier=$namee" is wrong. In what way?

Alexiy
  • 1,838
  • 15
  • 18
  • 1
    Add `if ($res === false) { echo myqli_error(); exit }` so you can see what the error is. – Halcyon Apr 28 '14 at 16:28
  • 1
    **Pro Tip** - when trying to debug SQL queries, echo the SQL so you can see what's actually being sent to the server. Eg. `$query = "SELECT Identifier, Password..."; echo $query;`. Once you can see your query, you'll probably see what's wrong with it right away. – Kryten Apr 28 '14 at 16:29
  • 4
    And add [the obligatory warning about SQL injection](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)... – Kryten Apr 28 '14 at 16:30
  • Never store plaintext passwords. If someone cracks the server, they have all your users' passwords. Since many people reuse passwords, you've just compromised other sites. At a minimum, add a per-user [salt](http://www.ciphersbyritter.com/NEWS6/SALT.HTM) and use a cryptographically secure [hash](http://php.net/hash) to fix this; if you can set PHP 5.5 as a minimum requirement, use [`password_hash()`](http://php.net/password_hash). – outis Apr 28 '14 at 18:14
  • Duplicate of ["mysql\_fetch\_array() expects parameter 1 to be resource, boolean given" in select](http://stackoverflow.com/q/2973202/). Please search before posting a question to prevent duplicates. – outis Apr 28 '14 at 18:16

2 Answers2

2

You need quotes around $namee

WHERE Identifier = '$namee'

But you really need to escape your user input first or use a Prepared Statement, to prevent SQL injections.

juergen d
  • 195,137
  • 36
  • 275
  • 343
-1

What if you replace 

$databaseconnection=mysqli_connect("",dbuser,userpassword,"db");

with 

$databaseconnection=mysqli_connect("YOUR HOST NAME",dbuser,userpassword,"db");
MichaelGao
  • 44
  • 1
  • Sorry, try $databaseconnection=mysqli_connect("YOUR HOST NAME",$dbuser,$userpassword,"db"); – MichaelGao Apr 28 '14 at 18:03
  • The error message indicates that the call to `mysqli_connect` succeeds. If it didn't, the call to `mysqli_query` would fail, and Alexiy would get a different error message. Also, you should edit updates into your post, rather than posting them as comments. SO uses a Q&A format. – outis Apr 28 '14 at 18:36
  • I was trying my best to help but I don't care what you said at all.@outis – MichaelGao Apr 28 '14 at 19:11