-1

I am trying to link up a form with a ipboard database and I keep going around in circles not having much clue on what to do as I am a beginner to PHP coding, just need the link to be there.

    29-Nov-2014 16:18:30 UTC] PHP Warning:  mysql_num_rows() expects parameter 1 to be resource, null given in /home/rise718c/public_html/Sean/Login/checklogin.php on line 40
        [29-Nov-2014 16:20:57 UTC] PHP Notice:  Undefined variable: link in /home/rise718c/public_html/Sean/Login/checklogin.php on line 40
        [29-Nov-2014 16:20:57 UTC] PHP Warning:  mysql_query() expects parameter 2 to be resource, null given in /home/rise718c/public_html/Sean/Login/checklogin.php on line 40
        [29-Nov-2014 16:20:57 UTC] PHP Warning:  mysql_num_rows() expects parameter 1 to be resource, null given in /home/rise718c/public_html/Sean/Login/checklogin.php on line 41

Above are the error Logs

And now this is my code in which I am trying to sort out**

<?php
$count = 0;
$host="localhost"; // Host name 
$username="login"; // Mysql username 
$password="password"; // Mysql password 
$db_name="dbname"; // Database name 
$tbl_name="members"; // Table name 

// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("dbname")or die("cannot select DB");

// username and password sent from form 
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword']; 

// encrypt password 

$encrypted_mypassword= md5( $mypassword ) ;
$sql="SELECT * FROM $tbl_name WHERE name='$myusername' and members_pass_hash='$encrypted_mypassword'";
$result=mysql_query($sql);


// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($encrypted_mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($encrypted_mypassword);
$sql="SELECT 'members_pass_hash','name' FROM $tbl_name WHERE name='$myusername' and members_pass_hash='$encrypted_mypassword'";
 mysql_real_escape_string($myusername);
 mysql_real_escape_string ($encrypted_mypassword);

 $result=mysql_query($sql);
 if (!$result) {
   die('Invalid query: ' . mysql_error());
}

// Mysql_num_row is counting table row
mysql_connect($host, $username, $password);
$result = mysql_query("SELECT * FROM table1", $link);
$num_rows = mysql_num_rows($result);

echo "$num_rows Rows\n";

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){

// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword"); 
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>

It would be appreciated if you could help to rectify my mistake.

Brian Tompsett - 汤莱恩
  • 5,753
  • 72
  • 57
  • 129
RISE
  • 1
  • 1

1 Answers1

-1

You don't need to connection to your database multiple times. Because you did that PHP doesn't know which connect to use, so it exspects your database handle as an additional parameter.

Your code can also be easily be used to take control of your server. You are putting the username and password into the first query as strings, so you are not protecting against sql injection.

You should use some SQL library to take care of calls for you, other people have solved this problem already. An easy way would be to use the PDO_mysql PHP module, which provides parameterized queries.

Also please don't use md5, it has known weaknesses. Use SHA256 or something similar, it is just a different function to call. If you want to do it right you also have to worry about padding. There are functions which do even that for you. Have a look at http://php.net/manual/en/function.password-hash.php

Leonidaz0r
  • 180
  • 10