-1

Here goes my code... I get the error on line if (mysql_num_rows($res)> 0){

$con= mysqli_connect("localhost","celento","password");
mysql_select_db("celento");
// Make sure we connected succesfully
if(! $con)
{
    die('Connection Failed'.mysql_error());
}
$username= $_POST['username'];
$password= $_POST['password'];


 $sql=("SELECT * FROM login WHERE username="'.$username.'" AND password="'.$password.'" LIMIT 1") or die(mysql_error());;

 $res = mysql_query($sql);

 if (mysql_num_rows($res)> 0){
             echo "Success";}
              else
             {echo"Fail";
 }
?>

Please help me fix the error. Thanks in advance.

Celento C George
  • 3
  • 1
  • It means that $res is not a resource. Is it possible that your query failed? You have one too many semi-colons at the end of your $sql line. – Jay Blanchard May 21 '14 at 12:48
  • Don't use the `mysql_` functions; they are deprecated. Instead use `mysqli` or `PDO`. – Joren May 21 '14 at 12:49
  • 1
    ***"SELECT * FROM login WHERE username="'.$username.'"*** is wrong, see quotes. Should be ***"SELECT * FROM login WHERE username='".$username."'*** – ggdx May 21 '14 at 12:49
  • Please note that you're wide open to SQL injection. A username of `admin' --` would log you in as admin without knowing the password. Also, **do not store passwords in cleartext - ever**. – h2ooooooo May 21 '14 at 12:50
  • Change `"'.$username.'" AND password="'.$password.'"` to : `'".$username."' AND password='".$password."'` in your query. – Fluffeh May 21 '14 at 12:51

1 Answers1

5

You messed up the single quotes. Also, there is no need of ( and ) when storing it as string. It should be

$sql="SELECT * FROM login WHERE username='".$username."' AND password='".$password."' LIMIT 1";

Note: You're using a deprecated API. mysql_* functions are no longer supported post PHP v5.5. It would be best to switch to mysqli or PDO. Here is a good tutorial to get you started.

asprin
  • 9,411
  • 11
  • 66
  • 110