-1

Already looked at the other answers but couldn't fix it. Monday i've got school exams and they want us to build a basic CMS (add, edit, delete pages, resized images). My programming knowledge is beginner and I don't know much about OOP (PDO), design patterns, best practices and like that kind of things.

As I checked my query in phpMyAdmin it looks fine. In the header include there is the connection included.

<?php
    include('inc/header.php');
    if(isset($_POST["submit"])) {
        $username = trim($_POST["username"]);
        $password = trim($_POST["password"]);
        $password_secure = md5($password);

        if($username == "") {
            $error++;
            $_SESSION["loginerror"] = true;
            header("location: loginerror.php");
            exit;
        }

        if($password == "") {
            $error++;
            $_SESSION["loginerror"] = true;
            header("location: loginerror.php");
            exit;
        }

        if($username != "" && $password != "") {
            $sql = "SELECT * FROM user WHERE username = '".$username."' 
            AND password = '".$password_secure."'";
        }

        if(mysqli_num_rows($query == 1)) {
            $row = mysqli_fetch_array($query);
            $_SESSION['username'] = $row["username"];
            $_SESSION['firstname'] = $row["firstname"];
            $_SESSION['lastname'] = $row["lastname"];
            $_SESSION['login'] = true;
            header("location: user.php");
            exit;
        }

    } else {
        header("location: index.php");
        exit;
    }
?>

Is it also smart to check the POST request with $_SERVER['REQUEST_METHOD'] == 'POST' instead of a isset() and escape SQL with mysql_real_escape_string in the query?

Thanks

Dharman
  • 30,962
  • 25
  • 85
  • 135
kay
  • 21
  • 1
  • 4
  • possible duplicate of [mysql\_fetch\_array() expects parameter 1 to be resource, boolean given in select](http://stackoverflow.com/questions/2973202/mysql-fetch-array-expects-parameter-1-to-be-resource-boolean-given-in-select) – John Conde Apr 12 '14 at 13:34
  • 1
    Regardless of what `$query` is, the parentheses in the `if` condition `mysqli_num_rows($query == 1)` are most definitely misplaced. – DCoder Apr 12 '14 at 13:35

1 Answers1

2

You forgot to execute the query

$query = mysqli_query($sql);

$rowcount=mysqli_num_rows($query);

and then

if($rowcount == 1){
 // do ur stuff
}
Abhik Chakraborty
  • 44,654
  • 6
  • 52
  • 63
  • Oh stupid from me, forgotted to put the $query variable again in before submitting the answer. Sorry, haha. Error is gone but I'm still not redirected to user.php. Thanks for helping. – kay Apr 12 '14 at 13:46