On Fri, 2010-02-19 at 18:30 +0100, Mark Cilissen wrote:
> David Hutto schreef:
> >
> > --- On Fri, 2/19/10, David Hutto <dwightdhutto@xxxxxxxxx> wrote:
> >
> > From: David Hutto <dwightdhutto@xxxxxxxxx>
> > Subject: Login Script: mysql_num_rows(): supplied argument is not a valid MySQL result resource
> > To: php-general@xxxxxxxxxxxxx
> > Date: Friday, February 19, 2010, 3:30 AM
> >
> > The following script is supposed to validate a username and password in a mysql db. When entering the username and password of a preregistered user, I get the following errors:
> >
> > Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/login.php on line 24
> >
> >
> >
> > Warning: Cannot modify header information - headers already sent by (output started at /var/www/login.php:24) in /var/www/login.php on line 26
> >
> > On line 24 is:
> >
> >>>> if(!mysql_num_rows($login)) //if the username and pass are wrong
> >
> > --The supplied argument is $login, which is previously defined as:
> >
> >>>> $login = mysql_query("SELECT * FROM 'userinfo' WHERE `user` = '$user' AND `pass` = '$pass`");
> >
> > --which is further defined above it as these values:
> >
> > $user = $_POST['user']; //pulls the username from the form
> > $pw = $_POST['pass']; //pulls the pass from the form
> > $pass = md5($pw); //makes our password an md
> >
> > So why is the sum of those previous definitions an invalid argument for the mysql_query() to test for whether the username and md5 password values are true/equivalent to each other?
> >
> > Because basically !mysql_num_rows($login) is just if'ing the lack of a user/pass match, else it continues to set cookie and session variables.
> >
> > If I'm looking at this wrong let me know.
> >
> > Thanks for any help you may be able to provide, below is the
> > full login.php page.
> >
> > David
> > ********************************************************
> >
> > This is the full login.php script, I'm pretty sure no other portions are needed to show at this point for the current problem:
> >
> > <?php
> > $act = $_GET['act']; //retrives the page action
> > if(empty($act)) //if there is no action
> > {
> > echo('<form action="login.php?act=auth" method="post" name="loginform" id="loginform">
> > <p>Username
> > <input type="text" name="user">
> > </p>
> > <p>Password
> > <input type="password" name="pass">
> > </p>
> > <p>
> > <input type="submit" name="Submit" value="Login">
> > </p>
> > </form>');
> > }
> > elseif($act == "auth") //if our page action = auth
> > {
> > $user = $_POST['user']; //pulls the username from the form
> > $pw = $_POST['pass']; //pulls the pass from
> > the form
> > $pass = md5($pw); //makes our password an md5
> > include("connect.php"); //connects to our mysql database
> > $login = mysql_query("SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` = '$pass`"); //selects info from our table if the row has the same user and pass that our form does
> > if(!mysql_num_rows($login)) //if the username and pass are wrong
> > {
> > header("Location: login.php"); //redirects to our login page
> > die(); //stops the page from going any further
> > }
> > else
> > {
> > setcookie("user", $user, time()+3600);//sets our user cookie
> > setcookie("pass", $pass, time()+3600);//sets our pass
> > cookie
> > header("Location: memprar.php");//instead of yourpage.php it would be your protected page
> > }
> > }
> > ?>
> >
> >
> >
> >
> >
> >
> >
> >
> >
>
> The query should be:
> SELECT * FROM `userinfo` WHERE `user` = '$user' AND `pass` = '$pass'
>
> Remember: ` for tables and columns, ' for strings.
> Also, look up SQL Injection, as your script contains a huge vulnerability.
> This can be fixed using mysql_real_escape_string, so it is this:
> ELECT * FROM `userinfo` WHERE `user` =
> '".mysql_real_escape_string($user)."' AND `pass` =
> '".mysql_real_escape_string($pass)."'
>
> --
> Kind regards,
> Mark Cilissen / Pixlism
>
I did cover all of those points and give the same sanitisation
suggestion in the email I sent to this question earlier!
Thanks,
Ash
http://www.ashleysheridan.co.uk
