-2

This error appeared in my index.php where the system checks the admin login and password

Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, boolean given in /storage/ssd3/088/16507088/public_html/gotogro/index.php on line 13

Line 13:

    if (mysqli_num_rows($results) == 1) {

Piece of code:

<?php
session_start();
require('db.php');
$username="";
$errors = array(); 

if (isset($_POST['login_user'])) {
  $username = mysqli_real_escape_string($conn, $_POST['username']);
  $pwd = mysqli_real_escape_string($conn, $_POST['pwd']);
  if (count($errors) == 0) {
    $query = "SELECT * FROM login WHERE uname='$username' AND pwd='$pwd'";
    $results = mysqli_query($conn, $query);
    if (mysqli_num_rows($results) == 1) {
      $_SESSION['uname'] = $username;
      header("location:home.php?info=home");
    }else {
      array_push($errors, "<div class='alert alert-warning'><b>Wrong username/password combination</b></div>");
    }
  }
}

?>

This error only appeared when I moved the website to web000host. Worked ok in localhost.

Lika
  • 1
  • 1
  • **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman May 14 '22 at 20:23
  • Please start using prepared statements. It's inexcusable to be using `mysqli_real_escape_string` in 2022 – Dharman May 14 '22 at 20:24
  • That is my school project. I just need to fix that error. Any suggestions? – Lika May 14 '22 at 20:30
  • Yes, use prepared statements and enable error reporting. If this doesn't fix the issue update the question with the new code. Even for school project, you really should not be learning to store passwords in cleartext. That's just bad thing to learn. – Dharman May 14 '22 at 20:32
  • It looks like you are using some really bad tutorial. I highly encourage you to find something better. If you are only starting to learn PHP then you should learn PDO instead of mysqli. PDO is much easier and more suitable for beginners. Start here https://phpdelusions.net/pdo & https://websitebeaver.com/php-pdo-prepared-statements-to-prevent-sql-injection. Here are some good video tutorials https://youtu.be/2eebptXfEvw & https://www.youtube.com/watch?v=sVbEyFZKgqk&list=PLr3d3QYzkw2xabQRUpcZ_IBk9W50M9pe- – Dharman May 14 '22 at 20:32
  • Thanks for reference. How can i replace mine with prepared statements? – Lika May 14 '22 at 20:35
  • Replace `'$username'` and `'$pwd'` with placeholders `?` and then bind the variables separately using `bind_param`. Here's an example [How to use mysqli prepared statements?](https://stackoverflow.com/a/60020281/1839439) – Dharman May 14 '22 at 20:37

0 Answers0