Explore our sites

Stack Exchange
tour help careers 2.0
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 3 down vote favorite

I'm fairly new to PHP/MySQL and I seem to be having a newbie issue. The following code keeps throwing me errors no matter what I change, and I have a feeling it's got to be somewhere in the syntax that I'm messing up with. It all worked at home 'localhost' but now that I'm trying to host it online it seems to be much more temperamental with spaces and whatnot. It's a simple login system, problem code is as follows:

<?php
session_start();
require 'connect.php';
echo "Test";

//Hash passwords using MD5 hash (32bit string).
$username=($_POST['username']);
$password=MD5($_POST['password']);

//Get required information from admin_logins table
$sql=mysql_query("SELECT * FROM admin_logins WHERE Username='$username' ");
$row=mysql_fetch_array($sql);

//Check that entered username is valid by checking returned UserID
if($row['UserID'] === NULL){
header("Location: ../adminlogin.php?errCode=UserFail");
}
//Where username is correct, check corresponding password
else if ($row['UserID'] != NULL && $row['Password'] != $password){
header("Location: ../adminlogin.php?errCode=PassFail");
}
else{
$_SESSION['isAdmin'] = true;
header("Location: ../admincontrols.php");
}

mysql_close($con);

?>

The test is just in there, so I know why the page is throwing an error, which is: Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in 'THISPAGE' on line 12

It seems to dislike my SQL query.

Any help is much appreciated.

EDIT:

connect.php page is:

<?php
$con = mysql_connect("localhost","username","password");
if(!$con) {
die('Could not connect: ' . mysql_error());
}
mysql_select_db("dbname", $con);
?>

and yes it is mysql_*, LOL, I'll get to fix that too.

share|improve this question
2  
Please stop writing new code with the ancient mysql_* functions. They are no longer maintained and community has begun the deprecation process. Instead you should learn about prepared statements and use either PDO or MySQLi. If you care to learn, here is a quite good PDO-related tutorial. –  DCoder Sep 9 '12 at 10:05
1  
You don't actually seem to make the connection anywhere to the database in your code. Is it somewhere else? –  Fluffeh Sep 9 '12 at 10:07
 
I think it's done in require 'connect.php'; –  Ilia Rostovtsev Sep 9 '12 at 10:18
 
correct, successfully connects to DB, just accessing information seems to be my issue –  Sean Missingham Sep 9 '12 at 10:27
 
What is in connect.php particularly? (Just replace your username and password to database ;) ) –  Ilia Rostovtsev Sep 9 '12 at 10:31
show 7 more comments

2 Answers

up vote 3 down vote

You should escape column name username using backtick, try

SELECT * 
FROM admin_logins 
WHERE `Username` = '$username'

You're code is prone to SQL Injection. Use PDO or MYSQLI

Example of using PDO extension:

<?php
$stmt = $dbh->prepare("SELECT * FROM admin_logins  WHERE `Username` = ?");
$stmt->bindParam(1, $username);
if ($stmt->execute(array($_GET['name']))) {
  while ($row = $stmt->fetch()) {
    print_r($row);
  }
}
?>
share|improve this answer
 
Seems i have a lot of studying to do before i understand this lol –  Sean Missingham Sep 9 '12 at 10:28
add comment
up vote 2 down vote

Sean, you have to use dots around your variable, like this:

$sql = mysql_query("SELECT * FROM admin_logins WHERE Username = '". mysql_real_escape_string($username)."' ");

If you use your code just like this then it's vulnerable for SQL Injection. I would strongly recommend using mysql_real_escape_string as you insert data into your database to prevent SQL injections, as a quick solution or better use PDO or MySQLi.

Besides if you use mysql_* to connect to your database, then I'd recommend reading the PHP manual chapter on the mysql_* functions, where they point out, that this extension is not recommended for writing new code. Instead, they say, you should use either the MySQLi or PDO_MySQL extension.

EDITED:

I also checked your mysql_connect and found a weird regularity which is - if you use " on mysql_connect arguments, then it fails to connect and in my case, when I was testing it for you, it happened just described way, so, please try this instead:

$con = mysql_connect('localhost','username','password');

Try to replace " to ' as it's shown in the PHP Manual examples and it will work, I think!

If it still doesn't work just print $row, with print_r($row); right after $sql=mysql_query() and see what you have on $row array or variable.

share|improve this answer
1  
Variables within double quotes should work fine within a string as the OP has. I do agree with the rest of the answer though moving on to PDO or MYSQLI –  Fluffeh Sep 9 '12 at 10:08
 
dots dont seem to help unfortunately, but Ill just go and read up on PDO anyway, I didnt realise there was an alternative. Thanks :) –  Sean Missingham Sep 9 '12 at 10:19
 
You are very welcome! This is the right call to use PDO. Please tell me what else doesn't work? –  Ilia Rostovtsev Sep 9 '12 at 10:21
 
tried concatenation, changing up all the double quotes to singles and all that fun stuff, tried removing all spaces, just no luck, ill have to rack through all the pages and see if its somewhere else :/ –  Sean Missingham Sep 9 '12 at 10:27
 
are you sure you don't call session_start() twice? –  Ilia Rostovtsev Sep 9 '12 at 10:29
show 1 more comment

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.