-3

Working on a login for admins on my webpage. I am following a tutorial that is kind of old, and I am trying to update it for MYSQLI. On his video, everything works perfect.. For me however..

if(isset($_POST['submit'])) {

    $username = $_POST['username'];
    $password = md5($_POST['password']);
    if(empty($username) or empty($password)) {

        echo "<p class='warn'>Oops!</p>";

    } else { 

        $checklogin = mysqli_query(" SELECT id FROM admins WHERE username='$username' AND password='password' ");

        if(mysqli_num_rows($checklogin) == 1){

            echo "You can log in.";

        } else {

            echo "Oops";

        }
    }
}

and

Warning: mysqli_query() expects at least 2 parameters, 1 given in /opt/lampp/htdocs/WEBSITES/Site1/admin/login.php on line 29

Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, null given in /opt/lampp/htdocs/WEBSITES/Site1/admin/login.php on line 31
Arpad Gabor
  • 15,184
  • 4
  • 16
  • 21
  • 2
    I would recommed to use [PDO](http://php.net/manual/en/book.pdo.php). IMO it's safier and easier to use than MySQLi. – Elias Kosunen Oct 18 '14 at 20:18
  • Are you sure that the error isn't caused by the missing $ in your mysqli_query? The $ is missing in the part `[..]AND password='$password'");` –  Oct 18 '14 at 20:20
  • 1
    Don't use MD5 with passwords. PHP5 has new functions for handling password hashes. – Elias Kosunen Oct 18 '14 at 20:20
  • @Kommodore still getting the error – Arpad Gabor Oct 18 '14 at 20:21
  • @user3725053 As far as I know, PDO and MySQLi offer exactly the same features in terms of security. Which is easier is a matter of taste, but the procedural functions in MySQLi are more similar to the old mysql_* functions used in old tutorials. – IMSoP Oct 18 '14 at 20:34

2 Answers2

3

Errors about incorrect parameters can often be solved by looking up the manual for the function in question.

In this case, go to http://php.net/mysqli_query and you will see this function summary:

mixed mysqli_query ( mysqli $link , string $query [, int $resultmode = MYSQLI_STORE_RESULT ] )

So the two parameters expected are the mysqli object representing the connection to the database (which you will get when you first connect), and then the string of SQL to run (which you are currently passing).

The second error is a consequence of the first: because you are not checking for errors, $checklogin doesn't represent a successful query result.

Incidentally, there are a few other problems you might want to look at here, if the tutorial doesn't go on to explain them:

Community
  • 1
  • 1
IMSoP
  • 89,526
  • 13
  • 117
  • 169
1

Your call to mysqli_query() requires the first parameter to be your connection to the database, which would have been returned during mysqli_connect(). That is your first warning.

Since you didn't provide a connection to mysqli_query() the return value of $checkLogin equals null, this is where your second warning comes in. mysqli_num_rows() expects a result set from a successful query.

Here is your fix:

$connection = mysqli_connect("host", "user", "pass", "yourDB");
$result = mysqli_query($connection, "SELECT some, fields FROM YourTable WHERE something = 'this'");
Crackertastic
  • 4,958
  • 2
  • 30
  • 37
  • Already had a connection established, but did not put that `$connection` in the `mysqli_query`. It works now. Thanks. Will accept when I can. – Arpad Gabor Oct 18 '14 at 20:28
  • 1
    @Razzey Glad it is working. Please note that many of the procedural versions of the MySQLi library functions require a connection, a result, etc. Make sure you consult the manual on these functions to find out any parameters you may need. – Crackertastic Oct 18 '14 at 20:31
  • Wil do, thank you! Still learning all of this PHP and databases stuff. Have a good day/evening/night! – Arpad Gabor Oct 18 '14 at 20:33
  • @Razzey You are welcome. I would also suggest you look at the other comments and answer relating to MD5 and password hashing. I would also suggest that you utilize prepared statements to help prevent SQL injection. – Crackertastic Oct 18 '14 at 20:35