-2
// LOGIN USER
if (isset($_POST['login_user'])) {
    $username = ($_POST['username']);
    $password = ($_POST['password']);

    if (empty($username)) {
        array_push($errors, "Username is required");
    }
    if (empty($password)) {
        array_push($errors, "Password is required");
    }

    if (count($errors) == 0) {
        $password = md5($password);
        $query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
        $results =( $query);

        if (mysqli_num_rows($results) == 1) {
            $_SESSION['username'] = $username;
            $_SESSION['success'] = "You are now logged in";
            header('location: index.php');
    }else {
            array_push($errors, "Wrong username/password combination");
        }
    }
}

Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, string given in C:\xampp\htdocs\test4\server.php on line 63

Dharman
  • 30,962
  • 25
  • 85
  • 135
Denzil John
  • 1
  • 1
  • The problem is not with line 63 if (mysqli_num_rows($results) == 1) { Instead the problem is with the line before $results =( $query); You are not executing the query there. Based on your code I cannot give you the exact answer, but it should be something like: $results = $mysqli->query($query); More info here: https://www.php.net/manual/en/mysqli.query.php – Rick May 28 '20 at 00:10
  • 3
    Please dont __roll your own__ password hashing, specially not using `MD5()` or `SHA1()`. PHP provides [`password_hash()`](http://php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://php.net/manual/en/function.password-verify.php) please use them for the safety of your users. – RiggsFolly May 28 '20 at 00:38
  • 2
    Your script is open to [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) You should consider using [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either the `MYSQLI_` or `PDO` API's instead of concatenated values – RiggsFolly May 28 '20 at 00:38

1 Answers1

-1

mysqli_num_rows expects a mysqli_result.

Replace

$results = ($query);

With

$results = mysqli_query($query);
Marco
  • 7,007
  • 2
  • 19
  • 49