Re: [PHP] Re: Login Script: mysql_num_rows(): supplied argument is not a valid MySQL result resource
On Fri, 2010-02-19 at 18:30 +0100, Mark Cilissen wrote:
> David Hutto schreef:
> >
> > --- On Fri, 2/19/10, David Hutto wrote:
> >
> > From: David Hutto
> > Subject: Login Script: mysql_num_rows(): supplied argument is not a valid
> > MySQL result resource
> > To: php-general@lists.php.net
> > Date: Friday, February 19, 2010, 3:30 AM
> >
> > The following script is supposed to validate a username and password in a
> > mysql db. When entering the username and password of a preregistered user,
> > I get the following errors:
> >
> > Warning: mysql_num_rows(): supplied argument is not a valid MySQL result
> > resource in /var/www/login.php on line 24
> >
> >
> >
> > Warning: Cannot modify header information - headers already sent by
> > (output started at /var/www/login.php:24) in /var/www/login.php on line 26
> >
> > On line 24 is:
> >
> if(!mysql_num_rows($login)) //if the username and pass are wrong
> >
> > --The supplied argument is $login, which is previously defined as:
> >
> $login = mysql_query("SELECT * FROM 'userinfo' WHERE `user` = '$user'
> AND `pass` = '$pass`");
> >
> > --which is further defined above it as these values:
> >
> > $user = $_POST['user']; //pulls the username from the form
> > $pw = $_POST['pass']; //pulls the pass from the form
> > $pass = md5($pw); //makes our password an md
> >
> > So why is the sum of those previous definitions an invalid argument for the
> > mysql_query() to test for whether the username and md5 password values are
> > true/equivalent to each other?
> >
> > Because basically !mysql_num_rows($login) is just if'ing the lack of a
> > user/pass match, else it continues to set cookie and session variables.
> >
> > If I'm looking at this wrong let me know.
> >
> > Thanks for any help you may be able to provide, below is the
> > full login.php page.
> >
> > David
> >
> >
> > This is the full login.php script, I'm pretty sure no other portions are
> > needed to show at this point for the current problem:
> >
> > > $act = $_GET['act']; //retrives the page action
> > if(empty($act)) //if there is no action
> > {
> > echo(' > id="loginform">
> > Username
> >
> >
> > Password
> >
> >
> >
> >
> >
> > ');
> > }
> > elseif($act == "auth") //if our page action = auth
> > {
> > $user = $_POST['user']; //pulls the username from the form
> > $pw = $_POST['pass']; //pulls the pass from
> > the form
> > $pass = md5($pw); //makes our password an md5
> > include("connect.php"); //connects to our mysql database
> > $login = mysql_query("SELECT * FROM `userinfo` WHERE `user` = '$user' AND
> > `pass` = '$pass`"); //selects info from our table if the row has the same
> > user and pass that our form does
> > if(!mysql_num_rows($login)) //if the username and pass are wrong
> > {
> > header("Location: login.php"); //redirects to our login page
> > die(); //stops the page from going any further
> > }
> > else
> > {
> > setcookie("user", $user, time()+3600);//sets our user cookie
> > setcookie("pass", $pass, time()+3600);//sets our pass
> > cookie
> > header("Location: memprar.php");//instead of yourpage.php
> > it would be your protected page
> > }
> > }
> > ?>
> >
> >
> >
> >
> >
> >
> >
> >
> >
>
> The query should be:
> SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` = '$pass'
>
> Remember: ` for tables and columns, ' for strings.
> Also, look up SQL Injection, as your script contains a huge vulnerability.
> This can be fixed using mysql_real_escape_string, so it is this:
> ELECT * FROM `userinfo` WHERE `user` =
> '".mysql_real_escape_string($user)."' AND `pass` =
> '".mysql_real_escape_string($pass)."'
>
> --
> Kind regards,
> Mark Cilissen / Pixlism
>
I did cover all of those points and give the same sanitisation
suggestion in the email I sent to this question earlier!
Thanks,
Ash
http://www.ashleysheridan.co.uk
[PHP] Re: Login Script: mysql_num_rows(): supplied argument is not a valid MySQL result resource
David Hutto schreef:
--- On Fri, 2/19/10, David Hutto wrote:
From: David Hutto
Subject: Login Script: mysql_num_rows(): supplied argument is not a valid MySQL
result resource
To: php-general@lists.php.net
Date: Friday, February 19, 2010, 3:30 AM
The following script is supposed to validate a username and password in a mysql
db. When entering the username and password of a preregistered user, I get the
following errors:
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result
resource in /var/www/login.php on line 24
Warning: Cannot modify header information - headers already sent by (output
started at /var/www/login.php:24) in /var/www/login.php on line 26
On line 24 is:
if(!mysql_num_rows($login)) //if the username and pass are wrong
--The supplied argument is $login, which is previously defined as:
$login = mysql_query("SELECT * FROM 'userinfo' WHERE `user` = '$user' AND `pass` =
'$pass`");
--which is further defined above it as these values:
$user = $_POST['user']; //pulls the username from the form
$pw = $_POST['pass']; //pulls the pass from the form
$pass = md5($pw); //makes our password an md
So why is the sum of those previous definitions an invalid argument for the
mysql_query() to test for whether the username and md5 password values are
true/equivalent to each other?
Because basically !mysql_num_rows($login) is just if'ing the lack of a
user/pass match, else it continues to set cookie and session variables.
If I'm looking at this wrong let me know.
Thanks for any help you may be able to provide, below is the
full login.php page.
David
This is the full login.php script, I'm pretty sure no other portions are needed
to show at this point for the current problem:
Username
Password
');
}
elseif($act == "auth") //if our page action = auth
{
$user = $_POST['user']; //pulls the username from the form
$pw = $_POST['pass']; //pulls the pass from
the form
$pass = md5($pw); //makes our password an md5
include("connect.php"); //connects to our mysql database
$login = mysql_query("SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` =
'$pass`"); //selects info from our table if the row has the same user and pass that
our form does
if(!mysql_num_rows($login)) //if the username and pass are wrong
{
header("Location: login.php"); //redirects to our login page
die(); //stops the page from going any further
}
else
{
setcookie("user", $user, time()+3600);//sets our user cookie
setcookie("pass", $pass, time()+3600);//sets our pass
cookie
header("Location: memprar.php");//instead of yourpage.php it
would be your protected page
}
}
?>
The query should be:
SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` = '$pass'
Remember: ` for tables and columns, ' for strings.
Also, look up SQL Injection, as your script contains a huge vulnerability.
This can be fixed using mysql_real_escape_string, so it is this:
ELECT * FROM `userinfo` WHERE `user` =
'".mysql_real_escape_string($user)."' AND `pass` =
'".mysql_real_escape_string($pass)."'
--
Kind regards,
Mark Cilissen / Pixlism
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: Login Script: mysql_num_rows(): supplied argument is not a valid MySQL result resource
--- On Fri, 2/19/10, David Hutto wrote:
From: David Hutto
Subject: Login Script: mysql_num_rows(): supplied argument is not a valid MySQL
result resource
To: php-general@lists.php.net
Date: Friday, February 19, 2010, 3:30 AM
The following script is supposed to validate a username and password in a mysql
db. When entering the username and password of a preregistered user, I get the
following errors:
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result
resource in /var/www/login.php on line 24
Warning: Cannot modify header information - headers already sent by (output
started at /var/www/login.php:24) in /var/www/login.php on line 26
On line 24 is:
>>>if(!mysql_num_rows($login)) //if the username and pass are wrong
--The supplied argument is $login, which is previously defined as:
>>>$login = mysql_query("SELECT * FROM 'userinfo' WHERE `user` = '$user' AND
>>>`pass` = '$pass`");
--which is further defined above it as these values:
$user = $_POST['user']; //pulls the username from the form
$pw = $_POST['pass']; //pulls the pass from the form
$pass = md5($pw); //makes our password an md
So why is the sum of those previous definitions an invalid argument for the
mysql_query() to test for whether the username and md5 password values are
true/equivalent to each other?
Because basically !mysql_num_rows($login) is just if'ing the lack of a
user/pass match, else it continues to set cookie and session variables.
If I'm looking at this wrong let me know.
Thanks for any help you may be able to provide, below is the
full login.php page.
David
This is the full login.php script, I'm pretty sure no other portions are needed
to show at this point for the current problem:
Username
Password
');
}
elseif($act == "auth") //if our page action = auth
{
$user = $_POST['user']; //pulls the username from the form
$pw = $_POST['pass']; //pulls the pass from
the form
$pass = md5($pw); //makes our password an md5
include("connect.php"); //connects to our mysql database
$login = mysql_query("SELECT * FROM `userinfo` WHERE `user` = '$user' AND
`pass` = '$pass`"); //selects info from our table if the row has the same user
and pass that our form does
if(!mysql_num_rows($login)) //if the username and pass are wrong
{
header("Location: login.php"); //redirects to our login page
die(); //stops the page from going any further
}
else
{
setcookie("user", $user, time()+3600);//sets our user cookie
setcookie("pass", $pass, time()+3600);//sets our pass
cookie
header("Location: memprar.php");//instead of yourpage.php it
would be your protected page
}
}
?>
