"select * from persons where user='username' and pass='password'" - why is this mysql statement boolean

Question

I'm a beginner in PHP and MySQL.

I'm trying to create a basic site with users. Right now I'm creating the log in page, and I'm using the following two lines, where the mysqli_fetch_array() is just to see if there are any with user as $_POST['user'] and pass as $_POST['pass']:

$query = mysqli_query($con,"SELECT * FROM persons WHERE user='" . $_POST['user'] . "' AND pass=ENCODE('" . $_POST['pass'] . "',passcode)");
while(mysqli_fetch_array($query)) // line 65
    // ..

When there is the error

Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in D:\xampp1.8.3\htdocs\hkmschat\default.php on line 65

Why is this statement boolean? I've used mysqli_fetch_array() and very similar queries many times for other verifications in the same script, but none of them have returned something like this.

I know there are a lot of these out there, but I haven't found one yet that has answered this question yet. If you could please redirect me to a good answer or answer this question, that would be appreciated.

Thanks.

**Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to learn how to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, Sep 08 '13 at 13:48
Type [php.net/mysqli](http://php.net/php.net/mysqli) in your browser, click on "Executing statements" and see any of the examples. — Álvaro González, Sep 08 '13 at 13:53

Nishant · Accepted Answer · 2013-09-08T14:00:14.980

1

Your query is failing and returning a false value.

put this after your mysqli_query() to see whats going on.

if (!$query) {
    printf("Error: %s\n", mysqli_error($con));
    exit();
}

for more information.

http://www.php.net/manual/en/mysqli.error.php

please always try to print the query, before executing

edited Sep 08 '13 at 14:00

answered Sep 08 '13 at 13:48

Nishant

3,614
1
20
26

oh, it was a silly mistake - where it said `ENCODE('" . $_POST['pass'] . "','passcode')` i didn't put quotes around the `'passcode'` – Jonathan Lam Sep 08 '13 at 13:52
gr8, then accept the answer , if it helped you. – Nishant Sep 08 '13 at 13:59

score 1 · Answer 2 · edited May 23 '17 at 12:11

1

You should go about it like this:

while($res = mysqli_fetch_array($query)){
   echo $res['user'];
   //Etc...
}

The code will return boolean if you don't set it to a variable.

The variable $res[] is an array with all the fields of the found row/s.

Furthermore you code is passible of SQL injections and therefore DANGEROUS, see this article: SQL Injections

edited May 23 '17 at 12:11

Community

1
1

answered Sep 08 '13 at 13:49

Mr.Web

6,992
8
51
86

"select * from persons where user='username' and pass='password'" - why is this mysql statement boolean

2 Answers2