Why data isn't showing php mysql

Question

Trying to display data on index.php, username works well, email isn't showing.

server.php

$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1) {


  $_SESSION['email'] = $email;
  $_SESSION['username'] = $username;
  $_SESSION['success'] = "You are now logged in";
  header('location: index.php');

index.php

<?php
// Echo session variables that were set on previous page
echo "Your email is: " . $_SESSION['email'] . "<br>";
echo "Your username is: " . $_SESSION['username'] . "";
?>

Madhur Bhaiya · Answer 1 · 2018-09-16T16:21:42.363

1

You are not fetching results after querying the data. Use mysqli_fetch_assoc

Note that I have applied mysqli_real_escape_string to your WHERE condition paramaters, for SQL injection related issues. Although it is not a fool-proof solution!

Change to following:

$query = "SELECT * 
          FROM users 
          WHERE username = '" . mysqli_real_escape_string($db, $username) . 
          " AND password = '" . mysqli_real_escape_string($db, $password) . "'";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1) {

  $row = mysqli_fetch_assoc($db, $results);
  $_SESSION['email'] = $row['email'];
  $_SESSION['username'] =  $row['username'];
  $_SESSION['success'] = "You are now logged in";

Please do read on how to prevent SQL injection related issues using Prepared Statements.

edited Sep 16 '18 at 16:21

answered Sep 16 '18 at 14:21

Madhur Bhaiya

28,155
10
49
57

1

`mysqli_real_escape_string()` **will not** solve SQL injection problems. To do that, you must use [prepared statements](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?noredirect=1&lq=1). – Zeke Sep 16 '18 at 14:25
@Zeke I have already added that bit (was editing before your comment) – Madhur Bhaiya Sep 16 '18 at 14:26
@Zeke typo ! :-) – Madhur Bhaiya Sep 16 '18 at 14:29
I still think that `mysqli_real_escape_string()` shouldn't even be mentioned, because it doesn't solve anything. If you're going to recommend prepared statements, then simply write it as such. But at least you answered the question. I would also make sure that the database is selected, since I don't see `mysqli_select_db()` (or `mysqli::select_db()`) anywhere in the code, and the SQL query does not specify any database either. – Zeke Sep 16 '18 at 14:34
Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in C:\xampp2\htdocs\server.php on line 81 Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in C:\xampp2\htdocs\server.php on line 82 Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, boolean given in C:\xampp2\htdocs\server.php on line 84 – PHP Newbie Sep 16 '18 at 14:42
@PHPNewbie if you're going to use that function, add the `$db` variable as the first parameter. Like this: `mysqli_real_escape_string($db, $username)`. – Zeke Sep 16 '18 at 15:15
@Zeke, thanks for your time, still getting one error ~> Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, boolean given in C:\xampp2\htdocs\server.php on line 84, probably query has an error in it but my newbish eyes can't see it – PHP Newbie Sep 16 '18 at 15:24
@PHPNewbie check the updated answer. I am so used to using Object oriented style; this is procedural style; missed `$db` at lot of places. Other than moving to prepared statements, you should also consider using object oriented style – Madhur Bhaiya Sep 16 '18 at 15:49
@PHPNewbie **do not** use the `$db` variable for `mysqli_num_rows()`. Only pass the SQL result. That's explicit in the error you're getting. – Zeke Sep 16 '18 at 16:07

score 0 · Answer 2 · answered Sep 16 '18 at 14:48

This is full code, $username appears (tested with different users)

if (isset($_POST['login_user'])) {
  $username = mysqli_real_escape_string($db, $_POST['username']);
  $password = mysqli_real_escape_string($db, $_POST['password']);

  if (empty($username)) {
    array_push($errors, "Username is required");
  }
  if (empty($password)) {
    array_push($errors, "Password is required");
  }

  if (count($errors) == 0) {
    $password = md5($password);
    $query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
    $results = mysqli_query($db, $query);
    if (mysqli_num_rows($results) == 1) {


      $_SESSION['email'] = $email;
      $_SESSION['username'] = $username;
      $_SESSION['success'] = "You are now logged in";
      header('location: index.php');
    }else {
        array_push($errors, "Wrong username or password combination");
    }
  }
}

is this your solution? or have been an edit to the question? — Funk Forty Niner, Sep 17 '18 at 16:15

score -1 · Answer 3 · answered Sep 16 '18 at 14:22

-1

You didn't get the email from your results, so your $email variable is null. If the email is in your users table, you will need to assign it from the results.

answered Sep 16 '18 at 14:22

kalinma

486
5
16

You should at least show how to solve it with some code. Also, it's not only `$email`, `$username` too. Your answer seems incomplete and vague. – Zeke Sep 16 '18 at 14:38
From the question, "username works well, email isn't showing." The username value most likely comes from the form input value, so it's not null. I have included code in other answers, but decided that's not always the best answer. It's usually better to do the problem solving on your own, with some help if necessary, but not be handed the complete solution. At least that's how I prefer to have my questions answered, with some direction, but not the entire solution. I also realized that some questions may be coming from students who are here to get their homework done for them. – kalinma Sep 16 '18 at 15:02
I'll better consider myself hiring coder to finish my project. – PHP Newbie Sep 16 '18 at 15:05
@PHP Newbie, Well, the answer to your original question is in Madhur's answer above, so you need not spend your money. I guess that was a joke. – kalinma Sep 16 '18 at 15:12
I understand your point, but the username is working for different reasons, not because of the SQL query. That's the difference. So, that should be mentioned at the very least. I mean, the query selects everything so there must be a reason. – Zeke Sep 16 '18 at 15:13
Oops, hey, I accidentally downvoted your answer like 34 minutes ago, please edit it so that I can undo it. My bad, I'm sorry. – Zeke Sep 16 '18 at 15:14

Why data isn't showing php mysql

3 Answers3