0

I'm working on web app that require a login page, everything work fine but i noticed that when a user try to connect and his password contain caracter he can't and an ugly error appear says FATAL ERROR:Call to a member function rowCount() on a non-object. here is my code:

$password=$_GET["password"];
$req="SELECT * FROM `enseignant` WHERE ens_cin=$login AND ens_pass=$password";
$res=$idconnex->query($req);
if($res->rowCount() > 0)
    {echo 'SUCCESS CONNECT';}
else
    {echo 'FAIL CONNECT';}

when i tried to add !empty($result) in if() ,thing goes worst.. it conseder all those how has caracteres in thier pass as not signed in user!! but no error appear.. thanks for help and sorry for my bad English.

Isaac Bennetch
  • 11,830
  • 2
  • 32
  • 43
Malek Boubakri
  • 820
  • 2
  • 17
  • 36

3 Answers3

2

We're more than likely dealing with strings here, so the variables in your values need to be quoted.

WHERE ens_cin='$login' AND ens_pass='$password'";

Plus, just using PDO on its own, doesn't mean you're safe against SQL injection.

An insight:

Make sure that you are indeed connecting through PDO and not mysqli_. I see these types of questions often.

If that is the case, those different MySQL APIs do not intermix with each other.

Now this: 

$password=$_GET["password"];

Passing a password through a GET isn't safe neither; you don't know who may be "listening in". You should be using POST. I hope also that you are using a hash and not plain text for password storage.

Sidenote: Make sure you're indeed using GET and not mixed up with POST, should this be coming from an HTML form.

"but no error appear"

You are probably not checking for errors.

Add $idconnex->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); right after the connection is opened.

Add error reporting to the top of your file(s) which will help find errors.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// rest of your code

Sidenote: Error reporting should only be done in staging, and never production.

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
0

The query() function returned something that is not an object.

You should always check for errors.

$res = $idconnex->query($req);
if ( ! $res) {
    echo 'This is not an object:<br>';
    var_dump($res);
    die;
}

You should also always read the manual when you run into problems:

Return Values

PDO::query() returns a PDOStatement object, or FALSE on failure.

Sverri M. Olsen
  • 13,055
  • 3
  • 36
  • 52
0

It's not safe to pass parameters to a query like the way you did. The problem you encountered might be caused by some unsafe characters. You might need to escape it.

Your implementation is wide open to SQL Injection. Use prepared statement instead. It's safer and will save you from problems such as this.

And one more thing, I notice that you are trying to search $_GET['password'] inside your database directly. Where I can conclude that you store the password inside your database without any hashing or encryption. You might want to reconsider that.

frz3993
  • 1,595
  • 11
  • 13
  • please, let's drop the SQL injection subject away if it is not related with the error cause i will handel it after everything goes right.. – Malek Boubakri Apr 18 '15 at 17:14
  • Ok, maybe you can put the variable in single quotes `ens_pass='$password'` or `$req="SELECT * FROM \`enseignant\` WHERE ens_cin=$login AND ens_pass='".$password."'";` – frz3993 Apr 18 '15 at 17:21
  • thank and i have some trouble when i convert to to PDO and use prepared quary here is new problem please check it !! http://stackoverflow.com/questions/29721963/warning-pdoexec-expects-parameter-1-to-be-string/29722011#29722011 – Malek Boubakri Apr 18 '15 at 20:29