--- On Fri, 2/19/10, Ashley Sheridan <a...@ashleysheridan.co.uk> wrote:

From: Ashley Sheridan <a...@ashleysheridan.co.uk>
Subject: Re: [PHP] Login Script: mysql_num_rows(): supplied argument is not a 
valid MySQL result resource
To: "David Hutto" <dwightdhu...@yahoo.com>
Cc: php-general@lists.php.net
Date: Friday, February 19, 2010, 5:34 AM

On Fri, 2010-02-19 at 00:30 -0800, David Hutto wrote:

The following script is supposed to validate a username and password in a mysql 
db.  When entering the username and password of a preregistered user, I get the 
following errors:

Warning:  mysql_num_rows(): supplied argument is not a valid MySQL result 
resource in /var/www/login.php on line 24

Warning:  Cannot modify header information - headers already sent by (output 
started at /var/www/login.php:24) in /var/www/login.php on line 26

On line 24 is:

>>>if(!mysql_num_rows($login)) //if the username and pass are wrong

--The supplied argument is $login, which is previously defined as:

>>>$login = mysql_query("SELECT * FROM 'userinfo' WHERE `user` = '$user' AND 
>>>`pass` = '$pass`");

--which is further defined above it as these values:

  $user = $_POST['user']; //pulls the username from the form
  $pw = $_POST['pass']; //pulls the pass from the form
  $pass = md5($pw); //makes our password an md

So why is the sum of those previous definitions an invalid argument for the 
mysql_query() to test for whether the username and md5 password values are 
true/equivalent to each other?

Thanks for any help you may be able to provide, below is the full login.php 


This is the full login.php script, I'm pretty sure no other portions are needed 
to show at this point for the current problem:

$act = $_GET['act']; //retrives the page action
if(empty($act)) //if there is no action
  echo('<form action="login.php?act=auth" method="post" name="loginform" 
  <input type="text" name="user">
  <input type="password" name="pass">
  <input type="submit" name="Submit" value="Login">
elseif($act == "auth") //if our page action = auth
  $user = $_POST['user']; //pulls the username from the form
  $pw = $_POST['pass']; //pulls the pass from the form
  $pass = md5($pw); //makes our password an md5
  include("connect.php"); //connects to our mysql database
  $login = mysql_query("SELECT * FROM `userinfo` WHERE `user` = '$user' AND 
`pass` = '$pass`"); //selects info from our table if the row has the same user 
and pass that our form does
  if(!mysql_num_rows($login)) //if the username and pass are wrong
        header("Location: login.php");  //redirects to our login page
        die(); //stops the page from going any further
        setcookie("user", $user, time()+3600);//sets our user cookie
                setcookie("pass", $pass, time()+3600);//sets our pass cookie
                header("Location: memprar.php");//instead of yourpage.php it 
would be your protected page


First, please create a new email when sending to the list and don't just reply 
to the last one, as those of us with email clients that group by threads get 
confused when the subject line appears to change mid-thread!

On to your question, you've got an error with your query, so it will never work:

"SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` = '$pass`"    // 
change that last back tick after $pass!

Lastly; protect your queries! That $user variable is open to injection. 
Replacing it with something like $user = 
mysql_real_escape_string($_POST['user']); Your $pass is protected (I believe) 
because of what you're doing with the hash, but I'm not an expert in these 
things, so it could be that this may not be enough.




Apologies for hijacking the thread, I hit reply all in a randomly picked email 
and deleted the info/subject line, guess that doesn't work.

Thanks for the advice, it's almost working right, all things considered.




Reply via email to