0

First the code 

mysqli_free_result($wynik);

$query = mysqli_query($dbcon, "SELECT * FROM user WHERE login = '$login' AND password ='$pass'");

$sql = mysqli_num_rows($query) 
        or die(drop dead);

echo $sql;

if ($sql > 0) {

                $_SESSION['user'] = $login;
                $_SESSION['auth'] = TRUE;
                echo $login;

I have a small issue with this code. When $query finds a result everything works fine, but when it returns no results $sql part dies. I can't understand why. When i run the query in database it works fine and returns 0 results.

Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
pawel kaminski
  • 13
  • 2
  • 4
    **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Feb 06 '17 at 22:49
  • 3
    Remove the `or die()` from the line beginning with `$sql` – Jay Blanchard Feb 06 '17 at 22:50
  • 1
    The `or die()` should be on the `mysqli_query()` line, not `mysqli_num_rows()`. – Barmar Feb 06 '17 at 22:53
  • 2
    You should look into [Prepared Statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) instead of concatenating your queries. That will make you're queries safer, even if you're escaping the user inputs (which you don't need to bother with at all, when using Prepared Statements). – M. Eriksson Feb 06 '17 at 22:53
  • Thank you for your support. I was able to resolve the issue thanks to your guidance. – pawel kaminski Feb 08 '17 at 06:29

2 Answers2

3

Because when you get no rows, you basically get 0 or die(). 0 is "falsy", so your die is executed. You don't want a die() there, basically just remove it. 

$sql = mysqli_num_rows($query); // Don't use die() for this

See this live demo.

It's more common to use or die() after the query, although it's not the best handling of errors, this is probably where you've seen it before 

$query = mysqli_query($dbcon, "SELECT * FROM user WHERE login = '$login' AND password ='$pass'") or die ("Query failed ".mysqli_error($dbcon));

Also you should look into prepared statements to protect your database against SQL injection. See the links given below.

Community
  • 1
  • 1
Qirel
  • 25,449
  • 7
  • 45
  • 62
0

or die() isn't some special error-handing feature of PHP. It actually performs a logical OR on the left and right values. It's commonly used to handle errors with functions that return a 0 on error because it's a short circuit operator. That means that it only evaluates the second operand if the first one is not a "True" value ( see How does true/false work in PHP? for info on how true/false is handled in PHP).

What's happening here is $sql = sqli_num_rows($query) or die() is the same as $sql = 0 or die(). Since 0 is a false value, it tries to evaluate the die() and dies.

Community
  • 1
  • 1
Sean McSomething
  • 6,376
  • 2
  • 23
  • 28