On Fri, 2010-02-19 at 00:30 -0800, David Hutto wrote:
> The following script is supposed to validate a username and password in a
> mysql db. When entering the username and password of a preregistered user, I
> get the following errors:
>
> Warning: mysql_num_rows(): supplied argument is not a valid MySQL result
> resource in /var/www/login.php on line 24
>
>
>
> Warning: Cannot modify header information - headers already sent by (output
> started at /var/www/login.php:24) in /var/www/login.php on line 26
>
> On line 24 is:
>
> >>>if(!mysql_num_rows($login)) //if the username and pass are wrong
>
> --The supplied argument is $login, which is previously defined as:
>
> >>>$login = mysql_query("SELECT * FROM 'userinfo' WHERE `user` = '$user' AND
> >>>`pass` = '$pass`");
>
> --which is further defined above it as these values:
>
> $user = $_POST['user']; //pulls the username from the form
> $pw = $_POST['pass']; //pulls the pass from the form
> $pass = md5($pw); //makes our password an md
>
> So why is the sum of those previous definitions an invalid argument for the
> mysql_query() to test for whether the username and md5 password values are
> true/equivalent to each other?
>
> Thanks for any help you may be able to provide, below is the full login.php
> page.
>
> David
> ********************************************************
>
> This is the full login.php script, I'm pretty sure no other portions are
> needed to show at this point for the current problem:
>
> <?php
> $act = $_GET['act']; //retrives the page action
> if(empty($act)) //if there is no action
> {
> echo('<form action="login.php?act=auth" method="post" name="loginform"
> id="loginform">
> <p>Username
> <input type="text" name="user">
> </p>
> <p>Password
> <input type="password" name="pass">
> </p>
> <p>
> <input type="submit" name="Submit" value="Login">
> </p>
> </form>');
> }
> elseif($act == "auth") //if our page action = auth
> {
> $user = $_POST['user']; //pulls the username from the form
> $pw = $_POST['pass']; //pulls the pass from the form
> $pass = md5($pw); //makes our password an md5
> include("connect.php"); //connects to our mysql database
> $login = mysql_query("SELECT * FROM `userinfo` WHERE `user` = '$user' AND
> `pass` = '$pass`"); //selects info from our table if the row has the same
> user and pass that our form does
> if(!mysql_num_rows($login)) //if the username and pass are wrong
> {
> header("Location: login.php"); //redirects to our login page
> die(); //stops the page from going any further
> }
> else
> {
> setcookie("user", $user, time()+3600);//sets our user cookie
> setcookie("pass", $pass, time()+3600);//sets our pass cookie
> header("Location: memprar.php");//instead of yourpage.php it
> would be your protected page
> }
> }
> ?>
>
>
>
>
First, please create a new email when sending to the list and don't just
reply to the last one, as those of us with email clients that group by
threads get confused when the subject line appears to change mid-thread!
On to your question, you've got an error with your query, so it will
never work:
"SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` =
'$pass`" // change that last back tick after $pass!
Lastly; protect your queries! That $user variable is open to injection.
Replacing it with something like $user =
mysql_real_escape_string($_POST['user']); Your $pass is protected (I
believe) because of what you're doing with the hash, but I'm not an
expert in these things, so it could be that this may not be enough.
Thanks,
Ash
http://www.ashleysheridan.co.uk
