Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource

Question

mownam 0 Newbie Poster

13 Years Ago

<?php include "db/config.php";?>
<?php
function loginCheck($username,$password) 
{
$sql=mysql_query("select UserId, UserName, Password from user_login where UserName= '$_POST[username]' and Password= '$_POST[password]'");
$name=$sql['UserName'];
//echo"hi".$name;
//select * from user_login where UserName='mownam' and Password='welcome'

                $result =mysql_query($sql);
                //$uname=$_REQUEST["username"];
                if(mysql_num_rows($result) > 0)
                {

                echo "<center>successfully logged<br />".$uname;
                }
                else
                 {
                ?><div align="center" style="background-color: #FFFFCC"style="font:"Courier New" , Courier, monospace" style="font:message-box " style="font-size:10px" 
                id="loginerror"><strong>Invalid Username password</strong></div>
                <?php }


}
function insertValues($username,$password) {
 $sql=mysql_query("INSERT INTO user_login (UserId, UserName,Password, add_rights, update_rights,view_rights,delete_rights) VALUES ('','$_POST[username]','$_POST[password]','','','','')");
 echo "ok";
}

function updateValues($username,$password) {
 $sql=mysql_query("update person set  dob='$c', password='$b' where username='$username'");
}

function deleteValues($username) {

 $sql=mysql_query("delete from person where  username='$a'");
}

?>

mysql php

Edited 11 Years Ago by Nick Evan because: Fixed formatting

6 Contributors
6 Replies
229 Views
12 Hours Discussion Span
Latest Post 13 Years Ago Latest Post by stoopkid

sv3tli0 0 Junior Poster in Training

13 Years Ago

$sql=mysql_query("Select UserId, UserName, Password FROM user_login Where UserName= '".$_POST['username']."' and Password= '".$_POST['password']."'");

This is correct written..
How ever are you sure there are POSTs ? if its function perhaps there should be $username an $password (values from the function vars) not POSTs ..

pzuurveen 90 Posting Whiz in Training

13 Years Ago

use

$query="Select UserId, UserName, Password FROM user_login Where UserName= '".$_POST['username']."' and Password= '".$_POST['password']."'";
echo $query;
$sql=mysql_query($query) or die(mysql_error());

at least you get some more info

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

mownam 0 Newbie Poster · Answer 1 · 2011-09-05T19:43:36+00:00

help me to find out error in above coding..thanks

ko ko 97 Practically a Master Poster · Answer 2 · 2011-09-05T20:25:35+00:00

$result =mysql_query($sql);, is not valid. Due to your post, $sql is mysql resource, not a string (mysql command). Perhaps, it should be:

$sql = "SELECT `UserId`, `UserName`, `Password` FROM `user_login` WHERE `UserName` = '" . $_POST['username'] . "' AND Password= '" . $_POST['password'] . "'";
$result = mysql_query($sql);

Note:
- Use UPPERCASE for mysql syntax such (SELECT, INSERT, DELETE, UPDATE)
- Use CODE tag to wrap the codes you want to post.

diafol · Answer 3 · 2011-09-05T21:46:07+00:00

EEK. Don't ever, ever use unclean $_POST variables in your SQL. Always clean them with something like mysql_real_escape_string().

This is a good explanation as to why: http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php

It's a good idea to echo your sql, copy and paste it to phpmyadmin or your favourite MySQL GUI and see what it gives you.

stoopkid 6 Junior Poster in Training · Answer 4 · 2011-09-06T02:23:29+00:00

ardav is right; you really must be careful when accepting user generated $_POST/$_GET/$_REQUEST variables.

This looks like a portion of a login script, so I hope my code helps. This script also converts the password to an md5 string (more secure and good practice). The password row is set to varchar in the mysql database.

Instead of pulling all the db rows on the user, it counts to make sure the user exists ($rowCheck > 0) and then proceeds (valid login).

'login.php'

<?php 
include('config.php'); //holds db information and begins with session_start();

 if(isset($_POST['username'])) {
 	$username = mysql_real_escape_string($_POST['username']);
 }
 
 if(isset($_POST['password'])) {
 	$password = mysql_real_escape_string($_POST['password']);
 }
 
 $password = md5($password);
 
$sql = "SELECT COUNT(*) FROM `users` WHERE username = '$username' AND password = '$password'";

$result=mysql_query($sql);

//check that at least one row was returned

$rowCheck = mysql_result($result, 0);

if($rowCheck > 0) {

	$_SESSION['username'] = $username;

header ("Location: index.php");

  //we will redirect the user to another page where we will make sure they're logged in

  } else {
  //if nothing is returned by the query, unsuccessful login code goes here...

  echo 'Incorrect login name or password. Please try again.<br>';

  echo "$username - $password";

  } 

?>