mysql_num_rows returning false

Question

I am fairly new to PHP. I have been trying to work this issue out but with no luck. Hoping for some help from you guys!

So it's fairly simple. I have a form that is running a PHP script to check if the user exists in MySQL database. When users are created I am hashing the password with sha1 (something I am new to). The hashing works just fine. But when I then try to check user on the form, it keeps returning false.

The code checking if user exists (user_login.php)

<?php
//include db connect
  include ("db_con.php");

//set variable names
  $username = $_POST['username'];
  $password = $_POST['password'];

//start session
  session_start();

 $checklogin = mysqli_query($con, "SELECT * FROM users WHERE username = '".$username."' AND password= sha1('".$password."')"); 
  if(mysql_num_rows($checklogin) == 1) {  
   echo 'Success!';
 } else {
  echo 'No';
 }

?>

If needed here is the form (login_form.php)

<table border="1">
          <form action="functions/user_login.php" name="login" method="post">
            <tr>
              <td><input type="text" name="username" placeholder="Enter Username" required /></td>
            </tr>
            <tr>
              <td><input type="password" name="password" placeholder="Enter Password" required  /></td>
            </tr>
            <tr>
              <td><input type="submit" value="Login" /></td>
            </tr>
          </form>
        </table>

If I run echo sha1($password); it does properly echo the same hashed password that is stored in the database. However, when I run it with the mysql_num_rows code it keeps returning "No.' Hopefully the info given is enough for someone to see where my issue lies. If not please let me know what else I can include.

**Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, Mar 03 '14 at 20:04
You are using [an unsuitable hashing algorithm](http://php.net/manual/en/faq.passwords.php) and need to [take better care](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) of your users' passwords. — Quentin, Mar 03 '14 at 20:04
[The HTML5 placeholder attribute is not a substitute for the label element](http://www.456bereastreet.com/archive/201204/the_html5_placeholder_attribute_is_not_a_substitute_for_the_label_element/) — Quentin, Mar 03 '14 at 20:04
Your HTML is invalid. Use a [validator](http://validator.w3.org) and use [CSS for layout](http://designshack.net/articles/10-css-form-examples/), not tables. — Quentin, Mar 03 '14 at 20:06
This line: if(mysql_num_rows($checklogin) == 1) { .....should be if(mysqli_num_rows($checklogin) == 1) { — Hackerman, Mar 03 '14 at 20:07
**By building SQL statements with outside variables, you are leaving yourself open to SQL injection attacks.** Also, any input data with single quotes in it, like a name of "O'Malley", will blow up your SQL query. Please learn about using parametrized queries, preferably with the PDO module, to protect your web app. [This question](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has many examples in detail. You can also see http://bobby-tables.com/php for alternatives and explanation of the danger. — Andy Lester, Mar 03 '14 at 20:45

score 2 · Accepted Answer · answered Mar 03 '14 at 20:41

Just change this:

$checklogin = mysqli_query($con, "SELECT * FROM users WHERE username = '".$username."' AND password= sha1('".$password."')"); 
 if(mysql_num_rows($checklogin) == 1) {  //Wrong line
  echo 'Success!';
 } else {
 echo 'No';
 }

To this:

 $checklogin = mysqli_query($con, "SELECT * FROM users WHERE username = '".$username."' AND password= sha1('".$password."')"); 
 if(mysqli_num_rows($checklogin) == 1) {  //mysqli
  echo 'Success!';
 } else {
 echo 'No';
 }

score 1 · Answer 2 · answered Mar 03 '14 at 20:37

<?php
//include db connect
  include ("db_con.php");

//set variable names
  $username = htmlspecialchars($_POST['username']);
  $password = htmlspecialchars($_POST['password']);

//start session
  session_start();

 $checklogin = mysqli_query($con, "SELECT * FROM users WHERE username = '".$username."' AND password= sha1('".$password."')"); 
  if(mysqli_num_rows($checklogin) == 1) {  
   echo 'Success!';
 } else {
  echo 'No';
 }

?>

mysql_num_rows returning false

The code checking if user exists (user_login.php)

If needed here is the form (login_form.php)

2 Answers2