Query Error - PHP Server Side Scripting forum at WebmasterWorld - WebmasterWorld

Forum Moderators: coopster

Message Too Old, No Replies

Query Error

part of a registration/login system

stargateanubis14

12:56 am on Aug 30, 2008 (gmt 0)

10+ Year Member

I have been working on a registration/login system, and i have gotten the registration down, but the log in system isn't searching the database propperly. The log in code is as follows:

*************************************************
<?php
include("dbc1.php");//connects to database

$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
$myusername = strtr(mysql_real_escape_string('$myusername'),array('_' => '\_', '%' => '\%'));
$mypassword = strtr(mysql_real_escape_string('$mypassword'),array('_' => '\_', '%' => '\%'));
$sql=mysql_query("SELECT * FROM 'Registration' WHERE ('username'='$myusername') AND ('password'='md5($mypassword)')");

$count=mysql_num_rows($sql);
if($count==1){

$_SESSION['myusername']='myusername';
header("location:game.php");
}
else {
echo "Wrong Username or Password";
}
?>
*************************************************
errors
*************************************************
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/a1606798/public_html/login.php on line 10
*************************************************

The data that is entered into the database when the user registers goes through strtr and real escape, and the passwords are submitted through md5() when entered into the query.
Through my trial and error, I think there is a problem with the query searching through the database...

It also returns that I have the Wrong Username or password. (and yes... i double and triple checked the name and passwords)

I've been working on this for a while, and i've asked some other people about it, but they couldn't figure it out. Even when we got the mysql errors to go away, it still said that the username/pass didn't work.

ANYTHING you can think of, please tell me.

stargateanubis14

12:59 am on Aug 30, 2008 (gmt 0)

10+ Year Member

sorry for double posting...but i'd like to appologize in advanced because i posted this in php and not a mysql section. (i wont post again unless requested to do so)

cameraman

1:24 am on Aug 30, 2008 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Welcome to Webmaster World, stargateanubis14.

I'm not really understanding why you're doing the translations on the strings but if that's the way they went in I don't think it's causing a problem. If you use the php md5() function you don't even need to do anything to the password.

This:
$sql=mysql_query("SELECT * FROM 'Registration' WHERE ('username'='$myusername') AND ('password'='md5($mypassword)')");

You can use backticks on field names, but I'm pretty sure you can't use single quotes, and the quotes on the password are in the wrong place - try this instead:
$sql=mysql_query("SELECT * FROM Registration WHERE (username='$myusername') AND (password=md5('$mypassword'))");

If that still doesn't work, add:
if(!$sql) echo mysql_error();
right after the line so you can see what it's complaining about.

stargateanubis14

2:04 pm on Aug 30, 2008 (gmt 0)

10+ Year Member

That got rid of the error...thats good... But now it doesn't want to find the names and password pairs. I manually went in and checked the database, I have users: "testname" and "testname2" in the database, with password "testpass" for both of them (after being run through md5()). So, the passwords appear as "179ad45c6ce2cb97cf1029e212046e8" in the database.
I have tried the combination of the usernames and passwords many times, all saying the username or password is incorrect... i even tried the encrypted pass... but nothing worked.

Any ideas why it wouldn't work?

stargateanubis14

3:10 pm on Aug 30, 2008 (gmt 0)

10+ Year Member

I have fixed the problem...through trial and echo, i found the problem was with ' marks around the $myusername and $mypassword variables when going through the real escape. Resulting code:
*********************************************
<?php
include("dbc1.php");//connects to database
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
$myusername = strtr(mysql_real_escape_string($myusername),array('_' => '\_', '%' => '\%'));
$mypassword = strtr(mysql_real_escape_string($mypassword),array('_' => '\_', '%' => '\%'));
$inpass = md5($mypassword);
$sql=mysql_query("SELECT * FROM Registration WHERE (username='$myusername') AND (password='$inpass')");
$count=mysql_num_rows($sql);
if($count==1){

$_SESSION['myusername']='myusername';
header("location:game.php");
}
else {
echo "Wrong Username or Password";
}
?>
*********************************************

Thank you for your help. I'm sure i'll be back here later if i ever have more questions.