0

I'm trying to verify some login information from a form. The security isn't that important as this is just a small social media thing for my friends and myself and I have backups so I don't really mind getting hacked, I'm just learning php.

Here is the error I'm getting:

Fatal error: Call to a member function fetch_assoc() on a non-object in /srv/disk4/2177948/www/website.com/postlogin.php on line 34

Here is the code: Line 34 is marked out with //

Note: The connection information is censored, it works perfectly in the script.

<?php

session_start();

$usrName = $_POST['logInName'];
$pass = $_POST['logInPass'];
$servername = "censored";
$username = "censored";
$password = "censored";
$db_name = "censored";
$conn = mysqli_connect($servername, $username, $password, $db_name);

if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

$sql = "SELECT usrName FROM loginInfo WHERE usrName='" . $usrName . "';";
$result = mysqli_query($conn,$sql);

if ($conn->query($sql) == TRUE) {
    while ($row = $result->fetch_assoc()) {
        $retrievedUsrName = $row["usrName"];
    }
} else {
    echo 'Error: ' . $conn->error;
}

$result->free;

if ($retrievedUsrName == $usrName) {
    $sql2 = "SELECT pw FROM logininfo WHERE pw='" . $pass . "';";
    $result2 = mysqli_query($conn,$sql2);

    while ($row = $result2->fetch_assoc()) { //Line 34
        $retrievedPass = $row["pw"];
    }
} else {
    echo 'Fant ikke brukernavnet i databasen. Spør Tommy.';
}

if ($retrievedPass == $pass) {
    header('Location: index.php');
} else {
    echo 'Fant ikke passordet i databasen. Spør Tommy.';
}

$result->free;

$conn->close;

?>
Chaost
  • 55
  • 8
  • 1
    My guess would be that `$sql2` returns an error instead of a valid row. If you're running MySQL in a case-sensitive environment, it could be that you're accessing the table _logininfo_ entirely in lower case. Everywhere else, you've called it _loginInfo_, with a capital `I`. – Ben Hillier Mar 13 '17 at 10:36
  • Oh my god... I just spent a couple of hours troubleshooting this, thanks for pointing it out :p – Chaost Mar 13 '17 at 10:38
  • Don't worry! We've all had moments like this :-) – Ben Hillier Mar 13 '17 at 10:40
  • 1
    You should use that `if ($conn->query($sql) == TRUE) { ... } else { echo 'Error: ' . $conn->error; }` around all your queries, to see possible SQL errors. – syck Mar 13 '17 at 10:41
  • **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Mar 13 '17 at 12:51
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Mar 13 '17 at 12:52
  • I know about SQL Injection and how to secure it, but this site is just for me and my friends and I gave them direct instructions to not use passwords they use elsewhere. I keep backups in case someone decides to screw me over – Chaost Mar 13 '17 at 14:02

0 Answers0