Counting SQL Select Rows. Count = 0 where it should be 1

Question

      $result=mysql_query("SELECT * FROM superhidden WHERE username = '$username' AND  password='$password'");



      $credentials = mysql_num_rows($result);

      echo $credentials;

This echoes 0!!! When $username = admin and $password = admin... and the supperhidden table contains a row admin | admin

**Note:** naming your table `superhidden`, doesn't actually make it more hidden. — Arian Faurtosh, Jan 22 '14 at 01:36
Counting down to mandatory *'please do not use `mysql_` functions, they're deprecated'* replies. — Niels Keurentjes, Jan 22 '14 at 01:39
@zerkms I'm just now doubting whether I annoyed myself by actually still saying it... — Niels Keurentjes, Jan 22 '14 at 01:40
I can't wait to type my password as `'; truncate superhidden -- ` — Arian Faurtosh, Jan 22 '14 at 01:42
@Arian just [name your son Bobby Tables](http://xkcd.com/327/). — Niels Keurentjes, Jan 22 '14 at 01:45

score 1 · Answer 1 · edited May 23 '17 at 10:25

1

First thing I'd check is for leading or trailing spaces in both the table columns and the $username/$password variables.

You can examine leading or trailing spaces in the DB with something like:

select    *
  from    superhidden
 where    username like ' %'
    or    username like '% '
    or    password like ' %'
    or    password like '% '

You can use var_dump for examining the variables.

And, of course, the near-obligatory remarks on almost all PHP/MySQL questions:

The mysql_* functions are deprecated, you should be using one of the newer APIs.
Use of user input without sanitisation is a bad idea. You should make sure both $username and $password cannot be used for SQL injection attacks. Search for parameterised queries or SQL injection for more detail.

It's also generally a bad idea to store passwords in plain text, as evidenced by the rather large number of data "thefts", the latest of which was Target in the USA with some 70 million customers affected. There's a good QA here which provides some guidance.

edited May 23 '17 at 10:25

Community

1
1

answered Jan 22 '14 at 01:41

paxdiablo

854,327
234
1,573
1,953

More a comment than an answer? – Niels Keurentjes Jan 22 '14 at 01:41
1

@NielsKeurentjes, no, I'm positing that as an answer. If it turns out to be wrong, I'll delete it. Comments are meant for clarifications and tangential stuff, like arguing about deprecated features and SQL injection :-) – paxdiablo Jan 22 '14 at 01:43
1

+1'd. Last thing: as soon as you added the obligatory remarks section - a link to http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords or something similar might be helpful – zerkms Jan 22 '14 at 01:56
It turned out I used $username = "something else" up further on the page which made it read the wrong username from the table.. – user2712167 Jan 22 '14 at 02:09

Counting SQL Select Rows. Count = 0 where it should be 1

1 Answers1