1

Im creating a login php script that connects to a mysql db with a table called users containing a list of users. I am running into what looks like either an empty set or a mysql error.

I have included a connection error echo and a query die echo and the script is echoing the latter error that gives me the query string. I run this exact query in phpMyAdmin and get the result I expect (it returns the user).

Why is it dying?

$cxn was defined on the login page that calls this posts to this page

$pass = addslashes($_POST['password']);
$email = addslashes($_POST['username']);
$pw = md5($_POST['password']);


$query = "SELECT * FROM `users` WHERE (`user_email`='$email' AND `user_pass`='$pw')" ;


if (mysqli_connect_errno()){         
    echo "Failed to connect to MySQL: " . mysqli_connect_error();
}                               

$result = mysqli_query($cxn,$query) or die(mysqli_error($cxn)."Query= ".$query);

Ive left the first version up. Here is the current incarnation which has the same result.

    <?php

    $email = ($_POST['username']);
    $pw = md5($_POST['password']);

    $query = "SELECT * FROM `users` WHERE (`user_email`='$email' AND `user_pass`='$pw')" ;

    if (mysqli_connect_errno($cxn)){          //remove later
        echo "Failed to connect to MySQL: " . mysqli_connect_error();
    }                                  //to here

    $result = mysqli_query($cxn,$query) or die(mysqli_error($cxn)."Query=".$query);

    echo '<hr>';
    echo $result;
    while($row = mysql_fetch_array($result)){
        echo $row['user_email'];
        echo '<hr>';
        echo $row['user_pass'];
        echo '<hr>';
        echo $row['user_fname'];
        echo '<hr>';
    }
?>
Thatoneguy7
  • 37
  • 1
  • 5
  • 2
    For one thing, this `$pw = md5($_POST['password']);` is a "no-no". – Funk Forty Niner Nov 04 '13 at 17:03
  • 4
    What is the exact error message that you're getting back from the database? – andrewsi Nov 04 '13 at 17:04
  • Echo $query, and note that there is a mysqli_ function for escaping form data. – Strawberry Nov 04 '13 at 17:04
  • 2
    these kinds of queries BEG to be bound statements. its just all kinds of bad from a security perspective. – PlantTheIdea Nov 04 '13 at 17:05
  • I'm guessing the issue may lie with your use of addslashes(). If you didn't use that during the initial insert when adding the users you can't look them up that way because the values in the db won't match. Also, you should never addslashes() to a password. If you don't want certain characters in your password then run it through a regex and alert the user that the characters are invalid. After all, once it's hashed it can't do any damage. – rws907 Nov 04 '13 at 17:06
  • fred: what could you be more specific about that? they are stored in the db in md5. Where would I convert it? – Thatoneguy7 Nov 04 '13 at 17:06
  • I think the point is that md5 is not really secure (can be cracked). Just look into general password storage and you should find a lot of info. – Mattt Nov 04 '13 at 17:10
  • Let's first off get this guy some help on his query and then help him with the folly of his ways :) No need to confuse him out of the gate. – rws907 Nov 04 '13 at 17:13
  • [This could shed some light on the subject](http://stackoverflow.com/a/9454966/1415724) – `$subject = "md5";` @user2786343 – Funk Forty Niner Nov 04 '13 at 17:14
  • @user2786343 What's the relation between `$pass` and `$pw`? I can see that you're using `$_POST['password']` for both, but how are they working with each other? It's confusing. – Funk Forty Niner Nov 04 '13 at 17:23
  • Good catch Fred -ii- I didn't even see that. The OP has two calls to $_POST['password']; – rws907 Nov 04 '13 at 17:27
  • @rsmith84 It "could" be it, however it could be the way the OP is using those. – Funk Forty Niner Nov 04 '13 at 17:28
  • $pass is the unencrypted password I was using earlier for debugging and will be removed – Thatoneguy7 Nov 04 '13 at 17:42
  • im not getting an error from the database with this script. What I am getting is the query echo'd because of the "or die(mysqli_error($cxn)."Query= ".$query);" part of the mysql_query call. – Thatoneguy7 Nov 04 '13 at 17:51
  • I used var_dump on result and got NULL – Thatoneguy7 Nov 04 '13 at 19:08
  • And if you copy and paste the query that is echo'd to the screen and run that in phpMyAdmin it works 100%? – rws907 Nov 05 '13 at 17:14
  • Yes. The only problem I ran into is phpMyAdmin requiring single quotes instead of double quotes for the variables. or vice versa, I cant remember at this point. I tried passing a bad database name, and that died as expected, which I believe tells me my connection is good. I have also tried expanding my query to SELECT * FROM users with the same result. $result is NULL. mysqli_error and errno are blank. – Thatoneguy7 Nov 05 '13 at 18:37

2 Answers2

0

Because your not passing $cxn variable while checking connection:

Change this:

if (mysqli_connect_errno()){

to:

 if (mysqli_connect_errno($cxn)){
Joke_Sense10
  • 5,341
  • 2
  • 18
  • 22
0

I just noticed this but you have the following:

$email = ($_POST['username']);

And this should be simply:

$email = $_POST['username'];

Also, try writing your query like this:

$query = "SELECT * FROM `users` WHERE `user_email` = '".$email."' AND `user_pass` = '".$pw."'";
rws907
  • 787
  • 4
  • 14
  • 25
  • I actually tried `$query = "SELECT * FROM ``users`";` to see if I could get ANYTHING. but no. `var_dump($result)` and `var_dump(mysql_fetch_array($result)` are both NULL. – Thatoneguy7 Nov 06 '13 at 03:30
  • also the comment system is messing up my tics but I did use them as you did. – Thatoneguy7 Nov 06 '13 at 03:33
  • Did you remove the ( and ) from your $email = ($_POST['username']); statement? You can't enclose that $_POST call if you're not doing anything to it. I do recommend, however, using trim($_POST['username']); because it will remove whitespace from the beginning and end. Helpful in case someone accidentally hits space before or after their name. – rws907 Nov 06 '13 at 16:38
  • There's no reason to double backtick. That's why I re-wrote your query the way I did to help avoid issues with quoting. – rws907 Nov 06 '13 at 16:39
  • I did remove the parens and I didnt double backtick.see my second comment. – Thatoneguy7 Nov 06 '13 at 23:08
  • Add error_reporting(E_ALL); to your script and see if any additional error information is dumped on screen. – rws907 Nov 07 '13 at 06:08
  • Any news on your problem? – rws907 Nov 08 '13 at 18:05
  • I have abandoned the script, and moved to joomla. Thank you all for your effort. – Thatoneguy7 Nov 26 '13 at 02:04