FATAL ERROW my_sql_num_rows()

Question

Hello I am a complete beginner and I'm currently tryin to create an admin login page but it gives me this error

"Fatal error: Uncaught TypeError: mysqli_num_rows():
Argument #1 ($result) must be of type mysqli_result, bool given in C:\xampp\htdocs\hotelreservation\admin.php:48
Stack trace:
    #0 C:\xampp\htdocs\hotelreservation\admin.php(48): mysqli_num_rows(false)
    #1 {main} thrown in C:\xampp\htdocs\hotelreservation\admin.php on line 48"

and I don't know how to fix this please help me and thanks in advance

 <body>
        
        <div class = "header">
            <h1> Only Admin can login here!</h1>
        </div>
        
        <div class = "form-design">
            <form method = "POST" action = "">
        
        <div class = "info"
            <label> Username: </label><br>
            <input type = "text" name = "user" required><br>  
            <label> Password: </label><br>
            <input type = "password" name = "pass" required ><br>
            <input type = "submit" name = "login" value = "login"><br>

        </div>
        
            </form>
        </div>
        <a href = "dashboard.php"> Return to dashboard</a>
        
        <?php
        
            session_start();
            
            $connect = mysqli_connect('localhost', 'root', '');
            
            $db = mysqli_select_db($connect, 'admin');
            
                if(isset($_POST['login'])){
                    
                    $username = $_POST['user'];
                    $password = $_POST['pass'];
                    
                        $sql = "SELECT * FROM admin_user WHERE user = '$username' and pass = '$password'";
                        
                        $query = mysqli_query($connect, $sql);
                        $row = mysqli_num_rows($query);
                        
                        if($row['username'] == $username && $row['password'] == $password){
                            echo "login success";
                            $_SESSION['user'] = $username;
                            header ('location:#');
                        }
                }
        
        
        
        ?>
    </body>

Your query failed, but you haven't configured mysqli to show you the real error. Follow the link above, get it configured and then you'll have a better idea of what your problem is. — ADyson, Apr 07 '21 at 10:56
P.S. **Warning:** Your code is vulnerable to SQL Injection attacks. You should use parameterised queries and prepared statements to help prevent attackers from compromising your database by using malicious input values. http://bobby-tables.com gives an explanation of the risks, as well as some examples of how to write your queries safely using PHP / mysqli. **Never** insert unsanitised data directly into your SQL. The way your code is written now, someone could easily steal, incorrectly change, or even delete your data. — ADyson, Apr 07 '21 at 10:56
https://phpdelusions.net/mysqli also contains good examples of writing safe SQL using mysqli. See also the [mysqli documentation](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php). Parameterising your queries will also greatly reduce the risk of accidental syntax errors as a result of un-escaped input values - that may even have something to do with your current problem, potentially. — ADyson, Apr 07 '21 at 10:57
And never configure your web app to login to the database as root. Root can do whatever it likes, so on top of the SQL injection vulnerabilities this just leaves your database an open book for hackers. Instead create a separate user account specifically for this application which has only the permissions it actually _needs_ in order to work properly. Don't even use the root account as a shortcut during development or testing, because you need to test your account permissions as well - otherwise when you go live you might have unexpected errors relating to the user account setup. — ADyson, Apr 07 '21 at 10:57
Also, please don't store passwords in plain text - that is another security risk. Learn about [password hashing](https://www.php.net/manual/en/faq.passwords.php) instead. — ADyson, Apr 07 '21 at 10:57
`echo "login success";` - this message will never be visible on your users' screens, because of `header ('location:#');` - with that command you're telling the browser to redirect to a new page, and ignore the output of this one. Yet if the login fails, they simply get no feedback at all, maybe just a blank screen! — ADyson, Apr 07 '21 at 10:58

FATAL ERROW my_sql_num_rows()

0 Answers0