-1

I am trying to select data from a MySQL table, but I get one of the following error messages:

mysql_fetch_array() expects parameter 1 to be resource, boolean given

This is my code:

$username = addslashes( $_POST['user'] );
    $password = addslashes( $_POST['pass'] );

    $sqlQuery = "select * from users where username = '{$username}'";
    $resultObj = mysql_query( $sqlQuery );

    $row = mysql_fetch_array( $resultObj );

    if( $row['password'] == md5( $password ) )
    {
        session_start();
        $_SESSION['user_id'] = $row['user_id'];
        $_SESSION['name'] = $row['username'];
        header("Location:view_forum_list.php");
        exit();
    }
    else
    {
        $error = 1;
    }
Athul Noble
  • 23
  • 1
  • 9

5 Answers5

0

Replace {$username} with $username.I mean Remove curly braces from query line no. 3.

Dinesh Belkare
  • 619
  • 8
  • 21
0

That error normally means that the query has failed and so mysql_query() has returned false.

You really need to migrate your codebase over to using the mysqli_* extension or PDO. The mysql_* extension which you're using is deprecated in version 5.5 of PHP (the current version) and is being removed from version 7 of PHP (the next version). Yours or any other site that uses the mysql_* extension will break instantly if the server is migrated over to php version 7.

This article http://www.sitepoint.com/migrate-from-the-mysql-extension-to-pdo/ will take you through how to convert your codebase over to using PDO.

Once you've migrated over to either the mysqli_* extension or PDO make sure to get into the habbit of doing:

  1. Validating Data: Making sure that the data submitted by the user is what you're expecting eg, is any illegal character used (what characters you don't want to allow in a string), has a string been used instead of an integer, etc.
  2. Using Prepared Statements: Always use prepared statements when sending user submitted data to the database after having first validated the data that has been submitted.

Also, do you really need to grab all fields from the table? Only the required fields should be listed on the SELECT clause, grabbing all of them when you don't need to is a waste of bandwidth

SpacePhoenix
  • 527
  • 1
  • 4
  • 15
-1

Replace the fourth line with:

$sqlQuery = "select * from users where username = '$username'";
Chuck
  • 4,422
  • 1
  • 25
  • 52
Patel Kishan
  • 63
  • 4
-1

Use

 $sqlQuery = "select * from users where username = '".$username."'";
test
  • 432
  • 5
  • 14
-1

Add this

# This will check your query and count the record on the database 
if( !$resultObj || mysql_num_rows($resultObj) == 0 ){
    $error = 1;
}

Here's the code:

<?php

    $username = addslashes( $_POST['user'] );
    $password = addslashes( $_POST['pass'] );

    $sqlQuery = "select * from users where username = '$username'";
    $resultObj = mysql_query( $sqlQuery );

    if( !$resultObj || mysql_num_rows($resultObj) == 0 ){
        $error = 1;
    }
    else{

        $row = mysql_fetch_array( $resultObj );

        if( $row['password'] == md5( $password ) ){
            session_start();
            $_SESSION['user_id'] = $row['user_id'];
            $_SESSION['name'] = $row['username'];
            header("Location:view_forum_list.php");
            exit();
        }
        else{
            $error = 1;
        }

    }

?>
ThatGuy
  • 73
  • 1
  • 6