PHP Question. Help me out here, folks.

cass_is_awesome · March 12th, 2008, 3:46 PM

Working on the back side of my site.

Writing the login script for my CMS, and I'm running into a problem.

This is the first time that I've worked with PHP on a server that doesn't have REGISTER_GLOBALS turned on, so I'm almost certain it's something to do with the way I'm doing things. I'm sure it's a stupid mistake; one that I'll no doubt slap myself in the forehead for once someone offers a solution.

Here's the code in question:

Code:

            $userName = $_POST['userName'];
            $userPass = $_POST['userPass'];
            DBConnect("contraba_users");
            $sqlCheckUser = mysql_query("SELECT `userID` FROM `users` WHERE `userName` = '$userName' LIMIT 1") or die (mysql_error());
            $sqlCheckPass = mysql_query("SELECT `userID` FROM `users` WHERE `userPass` = '$userPass' LIMIT 1") or die(mysql_error());
            if(mysql_num_rows($sqlCheckUser == "0") || mysql_num_rows($sqlCheckPass == "0")){
                header("Location: ./?stype=error&amp;error=1");
            }

And here's the body of the page:

Quote:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/contraba/public_html/admin.php on line 53

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/contraba/public_html/admin.php on line 53

Any insight would be very welcome.

**Roxy** · March 12th, 2008, 3:51 PM

Quote:

For those who got a error with the num rows, I suggest you add the error dispaly for the sql error message.

if(!$result){die(mysql_error();}

Stick that below the query, it will give a specific message about what is wrong with the query. There isn't a problem with the num_rows function usually, but with the actual query itself.

Found this while googling.....

or

Quote:

$ret = mysql_query($query) or die(mysql_error());

cass_is_awesome · March 12th, 2008, 4:25 PM

Roxy: Thanks for the advice.

I fixed it.

I don't know what was wrong, but as opposed to running a query to check both the password and user name in the DB separately, I just had one query line check both of them in one, like so:

Code:

            $userName = $_POST['userName'];
            $userPass = $_POST['userPass'];
            DBConnect("contraba_users");
            $sqlCheckUser = mysql_query("SELECT userName,userPass FROM `users` WHERE `userName` = '$userName' AND `userPass` = '" . md5($userPass) . "' LIMIT 1");

I hate this stuff sometimes.

**Mark** · March 12th, 2008, 4:28 PM

PHP Code:


			
if (mysql_num_rows($sqlCheckUser == "0") || mysql_num_rows($sqlCheckPass == "0")

That part is wrong, you are doing a test inside a function argument. Replace that with the following:

PHP Code:


			
mysql_num_rows($sqlCheckUser) == 0

Roxy is right also, you should have

PHP Code:


			
or die(mysql_error())

after each mysql_query statement also. However if it is a production system, you should really just do die('sorry, mysql error') or something like that so you don't spit sql statements to the client

cass_is_awesome · March 12th, 2008, 4:36 PM

Quote:

Originally Posted by Mark

PHP Code:


			
if (mysql_num_rows($sqlCheckUser == "0") || mysql_num_rows($sqlCheckPass == "0")

Yeah.

I did away with that, like I said above, by just doing a user name and password check inside of the query itself.

It's the first time I've done that, and it saved me a whole lot of work.

The PHP only sets a login cookie if the conditions in the query are met (the username and password must match). Otherwise, it displays an incorrect information error.

**Mark** · March 12th, 2008, 4:44 PM

Glad you got it working. Don't forget to sanitize any variables you are putting into an SQL string:

PHP Code:


			
$userName = mysql_real_escape_string($_POST['userName']);

password doesn't need it since you are md5ing it.

**Roxy** · March 12th, 2008, 4:48 PM

Mark you are a PHP GURU!

**Mark** · March 12th, 2008, 4:59 PM

Quote:

Originally Posted by Roxy

Mark you are a PHP GURU!

That is true. I also don't like restoring databases

cass_is_awesome · March 12th, 2008, 5:00 PM

Quote:

Originally Posted by Mark

Glad you got it working. Don't forget to sanitize any variables you are putting into an SQL string:

PHP Code:


			
$userName = mysql_real_escape_string($_POST['userName']);

password doesn't need it since you are md5ing it.

And that just saved me a lot of coding, as I sanitized the Vars with my own convoluted and "dirty coded" functions.

And that is why I am growing to love this place already.

March 12th, 2008, 4:25 PM	#3 (permalink)
cass_is_awesome Cass Doesn't Sleep Seasoned Poster Joined in Mar 2008 Lives in Michigan Hosted on SH138 78 posts Gave thanks: 5 Thanked 6 times	Roxy: Thanks for the advice. I fixed it. I don't know what was wrong, but as opposed to running a query to check both the password and user name in the DB separately, I just had one query line check both of them in one, like so: Code: $userName = $_POST['userName']; $userPass = $_POST['userPass']; DBConnect("contraba_users"); $sqlCheckUser = mysql_query("SELECT userName,userPass FROM `users` WHERE `userName` = '$userName' AND `userPass` = '" . md5($userPass) . "' LIMIT 1"); I hate this stuff sometimes. __________________ rockin' contrabandheart.net on SH138 Last edited by cass_is_awesome; March 12th, 2008 at 4:26 PM.

March 12th, 2008, 4:28 PM	#4 (permalink)
Mark Surpass Developer On a golden path... Joined in Jan 2004 Lives in Florida Hosted on decc.surpasshosting.com 396 posts Gave thanks: 10 Thanked 68 times	PHP Code: `if (mysql_num_rows($sqlCheckUser == "0") \|\| mysql_num_rows($sqlCheckPass == "0")` That part is wrong, you are doing a test inside a function argument. Replace that with the following: PHP Code: `mysql_num_rows($sqlCheckUser) == 0` Roxy is right also, you should have PHP Code: `or die(mysql_error())` after each mysql_query statement also. However if it is a production system, you should really just do die('sorry, mysql error') or something like that so you don't spit sql statements to the client __________________ Mark Surpass Hosting Developer sɹnoʎ uɐɥʇ ɹǝʇʇǝq sı bıs ʎɯ

March 12th, 2008, 4:44 PM	#6 (permalink)
Mark Surpass Developer On a golden path... Joined in Jan 2004 Lives in Florida Hosted on decc.surpasshosting.com 396 posts Gave thanks: 10 Thanked 68 times	Glad you got it working. Don't forget to sanitize any variables you are putting into an SQL string: PHP Code: `$userName = mysql_real_escape_string($_POST['userName']);` password doesn't need it since you are md5ing it. __________________ Mark Surpass Hosting Developer sɹnoʎ uɐɥʇ ɹǝʇʇǝq sı bıs ʎɯ

March 12th, 2008, 4:48 PM	#7 (permalink)
Roxy URB4N 5K1LLZ Super #1 Joined in Sep 2005 Lives in Orlando, FL Hosted on SH63 2,648 posts Gave thanks: 81 Thanked 127 times	Mark you are a PHP GURU! __________________ Roxanne Surpass Staff Urban Roxy -Personal Blog SH63 - the best darn shared server!

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Rate This Thread
Rate This Thread:

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)