0
<form action = "index.php" method = "post">
username : <input type = "text" name = "uname" /><br>
password : <input type = "text" name = "pass" /><br>
submit : <input type = "submit" name = "submit" value = "submit" />
</form>

<?php
if(isset($_SESSION['id'])){echo $_SESSION['id'];}
if(isset($_POST['submit'])){
if ($_POST['submit'] == 'submit'){

$uname = $_POST['uname'];
$pass = $_POST['pass'];
$db = "davidedwardcakes";
$connect = mysql_connect('localhost', 'root', 'wtfiwwu');
$db_connect = mysql_selectdb($db, $connect);
if(!$db_connect){echo 'no';}

$query = "SELECT * FROM `users` WHERE uname ='$uname' AND pass = '$pass'";
$result = mysql_query($query, $connect);
if(mysql_num_rows($result) > 0){//echo 'index failed'; var_dump($result);}
while($row = mysql_fetch_array($result)){echo $row['uname']
 . "<br>";

session_start();
echo '<a href = "test.php">peruse</a>';
$_SESSION['id'] = $row['id'];}}

else{echo 'lol'; var_dump($query);}}

Whenever I want to login, i get the error: string 'SELECT * FROM users WHERE uname ='brown' AND pass = 'kenji'' (length=61)

meaning that theres a problem with my $query. If I remove the $pass query from $query it works fine but doesn't when it is included. Can anybody help please.

Álvaro González
  • 142,137
  • 41
  • 261
  • 360
brown.cn
  • 151
  • 1
  • 9
  • Huh? Why does that mean there's a problem with your query? That's your `var_dump` code. – BenM May 14 '14 at 10:51
  • 1
    That's not an error. That's your `var_dump($query);` code. – Álvaro González May 14 '14 at 10:51
  • 3
    1. Don't store passwords as plain text. 2. Don't use `mysql_*` functions; they're deprecated. 3. Your code is wide open to SQL injection... – BenM May 14 '14 at 10:51
  • If you really had a SQL syntax error (as the question title states) the query would not even run. – Álvaro González May 14 '14 at 10:52
  • remove `var_dump($query)` from your code. – shyammakwana.me May 14 '14 at 10:52
  • **Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin May 14 '14 at 10:55
  • @BenM how do I store passwords then – brown.cn May 14 '14 at 10:56
  • do you have column called `pass` ? or maybe its `upass` ?? – echo_Me May 14 '14 at 11:01
  • @echo, i do, and i stored it with varchar – brown.cn May 14 '14 at 11:04
  • Try this and see what error is `$result = mysql_query($query)or die(mysql_error());` instead of yours – echo_Me May 14 '14 at 11:06
  • my connection is working perfectly because when i just send query for uname alone, it works fine but if i add the pass that's when it doesn't work out. I dud the vardump to check the issue and thats it. The problem is the double quotes at kenji in the var_dump. My question is how do i get mysql not to include this in the string – brown.cn May 14 '14 at 11:08

4 Answers4

1

change it 

mysql_selectdb($db, $connect);

as 

mysql_select_db($db, $connect);
wild
  • 340
  • 1
  • 3
  • 14
1

There's nothing wrong with your query, but there is something wrong with your error reporting. For example, the following line:

if(mysql_num_rows($result) > 0){//echo 'index failed'; var_dump($result);}

Will dump the $result variable when the SQL query returns at least 1 row. Perhaps you meant to use:

if(mysql_num_rows($result) < 1) { echo 'index failed'; var_dump($result); }

Also, some notes of caution:

  1. Don't store passwords as plain text. http://alias.io/2010/01/store-passwords-safely-with-php-and-mysql/
  2. Don't use mysql_* functions; they're deprecated. Look at PDO or MySQLi.
  3. Your code is wide open to SQL injection.
BenM
  • 52,573
  • 26
  • 113
  • 168
0

There is a error in the syntax

$result = mysql_select($query, $connect);

Instead of the above code replace with this code

$result = mysql_select_db($query, $connect);
sathishkumar
  • 158
  • 2
  • 10
0

If there is some error in your Syntax , Try to use

mysql_num_rows($result) or die('Could not Show result: ' . mysql_error());
Alok Jha
  • 562
  • 7
  • 22