-1

I want to make a login for a class (so I'm not looking into preventing SQL injections right now) and I'm having trouble making use of the row counting to see if I can login or not.

How could I count the rows from the selection? I've tried some things which just didn't work.

The error I get is in the line that has a comment.

$host = "localhost";
$serverusername = "root";
$serverpassword = "";
$database = "usuarios";
$table = "user";

$username = $_POST['username'];
$password = $_POST['password'];

$mysqli = new mysqli($host, $serverusername, $serverpassword, $database);
if ($mysqli->connect_errno) {
    echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
}
$query = "SELECT * FROM ".$table." WHERE `username` = ".$username." AND `password` = ".$password;


$result = $mysqli->query($query);
$row = $result -> num_rows; //this line has an error. Trying to get property of non-object 

if ($row != 0)
{
header('Location : index.html');
die();
}
else
{
    echo "password incorrecta!";
}


$mysqli -> close();
user3651164
  • 13
  • 5
  • 4
    Your code contains syntax errors. Consult these following links http://php.net/manual/en/mysqli.error.php and http://php.net/manual/en/function.error-reporting.php and apply that to your code. – Funk Forty Niner Nov 23 '15 at 00:41
  • 1
    Password is probably a string. And see about prepared statements – Strawberry Nov 23 '15 at 00:44
  • To prevent your code from SQL injection, use [PDO::prepare](http://php.net/manual/en/pdo.prepare.php) – Rajdeep Paul Nov 23 '15 at 00:45
  • @RajdeepPaul Probably shouldn't mix PDO and MySQLi, [`$mysqli->prepare`](http://php.net/manual/en/mysqli.prepare.php) would fit better here ;) – Qirel Nov 23 '15 at 00:48
  • I've used php with this same syntax of error and it worked. Hold on, I'm posting the exact error in the first post. – user3651164 Nov 23 '15 at 00:49
  • @Qirel Yes, of course. Either `mysqli_` or `PDO` extension will do. I was just stating an option. :) – Rajdeep Paul Nov 23 '15 at 00:50
  • @Strawberry hehe, yeah. One hopes it would be, especially a "hashed" one at best ;-) – Funk Forty Niner Nov 23 '15 at 00:56
  • *"How could I count the rows from the selection?"* - Kind of unclear here. If you're trying to get a "count" as you state here, then you need to use `COUNT()`. If you're wanting to check if a user exists with the password given; again... your code contains syntax errors. Your question as it stands, is off-topic for a few reasons. 1) Syntax errors. 2) Unclear. – Funk Forty Niner Nov 23 '15 at 01:02
  • if username = 123 and password = 456, great. Otherwise: they're strings. – Funk Forty Niner Nov 23 '15 at 01:04
  • I have fixed the way the string is in the query. $query = "SELECT * FROM ".$table." WHERE `username` = '".$username."' AND `password` = '".$password."'"; Previously it put the username and password without 's or "s. I still have trouble with the counting. I'm gonna try the COUNT thing in SQL now – user3651164 Nov 23 '15 at 01:24
  • @Fred-ii- I don't think this is a duplicate, it's not related to the use of single .... I think it's a debugging problem – davejal Nov 23 '15 at 01:42
  • Moderator I found out what the real error is...... I mistyped my database name. Please delete. Sorry everyone it all works now. – user3651164 Nov 23 '15 at 02:26
  • You can't delete? Not enough rep? – Strawberry Nov 23 '15 at 07:34
  • it says it has answers so I can't delete it – user3651164 Nov 23 '15 at 19:19

2 Answers2

1

You need to put $username and $password in quotes:

$query = "SELECT * FROM $table WHERE `username` = '$username' AND `password` = '$password'";

This code is vulnerable to SQL injection.

user2182349
  • 9,569
  • 3
  • 29
  • 41
0

Assuming you already have error reporting set to on (because you provide the error given) your next step is to troubleshoot the query or the output.

To see what is wrong with your query try debugging it Here's how I debug query's

  1. echo the query to the screen

    $query = "SELECT * FROM ".$table." WHERE `username` = ".$username." AND `password` = ".$password;
echo $query;

  2. copy the printed query from the screen

  3. execute the query in you db manager (phpmyadmin)

  4. Read the sql error and

  5. change your query accordingly

If the query gives the correct output, then the problem it with the code that is run after you're query. otherwise you have to add your sql error here, so we can fix.

sidenote:

shouldn't $row = $result -> num_rows; be $row = $result->num_rows; (not sure if it matters, the extra space)

note 2: after reading the comments

Probably you're password is stored "hashed" and right now you're querying as is (not "hashed"). Depending how you hashed the password in your db you should hash the password post accordingly.

davejal
  • 6,009
  • 10
  • 39
  • 82
  • Alright, I have fixed the query. $query = "SELECT * FROM ".$table." WHERE `username` = '".$username."' AND `password` = '".$password."'"; This makes it so the parameters are read as strings in the query. But I still am troubled that the num_rows thing isn't working. – user3651164 Nov 23 '15 at 01:23
  • have you followed all the steps I placed for you? execute the printed query to see what's wrong with it. – davejal Nov 23 '15 at 01:27
  • Yes I have followed every step. I even use phpmyadmin aswell. And there was an error. Went from SELECT COUNT(*) FROM user WHERE `username` = Rob AND `password` = no ....TO... SELECT COUNT(*) FROM user WHERE `username` = 'Rob' AND `password` = 'no' Notice the '' to classify them as strings – user3651164 Nov 23 '15 at 01:30
  • not sure why you use `select count()`, while you could use `select *` . If you explicitly want to use only the number of rows in your code you could use `select count(*)` – davejal Nov 23 '15 at 01:32
  • is the password actually no? or is the password empty? – davejal Nov 23 '15 at 01:33
  • oh sorry, the count was when I was trying something else, pay no mind to it. – user3651164 Nov 23 '15 at 01:34
  • do you get a query result or not? – davejal Nov 23 '15 at 01:40