mysql_num_rows gives boolean error - authentication

I'm working on a login script currently and I'm trying to get comfortable with query's and all those things around it. I'm getting it slightly, but the code below, which checks the username & password when people want to login, doesn't quite work. I get an error:
Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\xampp\htdocs\mystagram\logic\login_validate.php on line 13
<?php
include('../includes/config.php');
include('../includes/database.php');
$username = mysql_escape_string($_POST['username']);
$password = mysql_escape_string($_POST['password']);
$submit = $_POST['submit_login'];
if (isset($submit)) {
$loginquery = mysql_query("SELECT * FROM users WHERE username='$username' AND password='$password'");
if (mysql_num_rows($loginquery) > 0) {
echo 'You are now logged in.';
exit();
} else {
echo 'Wrong username or password.';
}
}
?>

This means that you have an error in your SQL Statement.
Probably you dont have a table named 'users' or the Column 'username' or 'password' is missing.
Change this:
if (mysql_num_rows($loginquery) > 0) {
To:
if (mysql_num_rows($loginquery) == 1) {
And don't save your password in plaintext in the database. And use mysqli :)

you use mysql_escape_string() then '' it was problem. try this code,I hope it will work.
<?php
include('../includes/config.php');
include('../includes/database.php');
$username = mysql_escape_string($_POST['username']);
$password = mysql_escape_string($_POST['password']);
$submit = $_POST['submit_login'];
if (isset($submit)) {
**$loginquery = mysql_query("SELECT * FROM users WHERE username=".$username." AND password=".$password);**
if (mysql_num_rows($loginquery) > 0) {
echo 'You are now logged in.';
exit();
} else {
echo 'Wrong username or password.';
}
}
?>

Related

PDO bind variables to prepared mysql statement and fetch using while loop

I've used several of your guides but I can not get the following to run. If I hardcode the 2 variables in the Select statement it runs fine. I need to use variables, and I can't get the bind statement to work. Plenty of experience with the old Mysql_ but the PDO is still a challenge at this point.
$db_table = "ad";
$ID = "1";
$dsn = "mysql:host=$hostname;dbname=$database;charset=$charset";
$opt = [
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
PDO::ATTR_EMULATE_PREPARES => false,
];
$pdo = new PDO($dsn, $username, $password, $opt);
$result = $pdo->prepare("SELECT * FROM :ad WHERE id= :id "); // Line 359
$result->bindParam(':ad', $db_table, PDO::PARAM_STR);
$result->bindParam(':id', $ID, PDO::PARAM_STR);
$result->execute();
while($row = $result->fetch(PDO::FETCH_ASSOC))
{
$product = $row["product"];
$msrp = $row["msrp"];
$sale = $row["sale"];
$content = $row["content"];
echo "<strong>$product</strong> - $content<br />";
// echo $msrp . "<br />";
if($msrp != "0.00") { echo "MSRP $$msrp"; }
if($sale != "0.00") { echo "<img src='/images/c.gif' width='75' height='6' border='0'><span style='color: red;'>Sale $$sale</span>"; }
}
$pdo = null;
The above generates this error,
You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near '? WHERE id=?' at line 1' in
/XXXXXXXXXXXX/index_desktop_pdo.php:359
Your database structure is wrong. There should be always only one table to hold all the similar data. And therefore no need to make a variable table name.
To distinguish different parts of data just add another field to this table. This is how databases work.
So your code should be
$section = "ad";
$ID = "1";
$result = $pdo->prepare("SELECT * FROM whatever WHERE section=:ad AND id= :id");
$result->bindParam(':ad', $section);
$result->bindParam(':id', $ID);
$result->execute();

PDO row doesn't exist?

Below is my code:
<?php
$url = $_GET['url'];
$wordlist = array("Www.", "Http://", "Http://www.");
foreach ($wordlist as &$word) {
$word = '/\b' . preg_quote($word, '/') . '\b/';
}
$url = preg_replace($wordlist, '', $url);
?>
<?php
$oDB = new PDO('mysql:dbname=mcnsaoia_onsafe;host=localhost;charset=utf8', 'mcnsaoia_xx', 'PASSWORD');
$hStmt=$oDB->prepare("SELECT * FROM users WHERE hjemmside = :hjemmside AND godkendt=ja");
$hStmt->execute(array('hjemmside' => $url));
if( $row = $hStmt->fetch() ){
echo "EXIST";
}else{
echo "NOT EXIST";
}
?>
My problem is that it says NOT EXIST, because I know that there is a row which should be found with the following query:
SELECT * FROM users WHERE hjemmside = :hjemmside AND godkendt=ja
So why does it say not exist? I have absolutely no idea :(
Instead of
$hStmt=$oDB->prepare("SELECT * FROM users WHERE hjemmside = :hjemmside
AND godkendt=ja");
try
$hStmt=$oDB->prepare("SELECT * FROM users WHERE hjemmside = :hjemmside
AND godkendt='ja'");
The left is most likely a column and the right side is a string? I don't speak your language, but this is the first thing coming to my mind.
You should surround with quotes your not integer variable in your query
AND godkendt='ja'
Or maybe let pdo deal with it
$hStmt=$oDB->prepare("SELECT * FROM users WHERE hjemmside = :hjemmside AND godkendt = :ja");
$hStmt->execute(array(':hjemmside' => $url, ':ja' => 'ja'));
//^ i added : for placeholder here, you missed it
I would also rather check if rows are returned
if($hStmt->$eowVount() > 0){
$row = $hStmt->fetch()
echo "EXIST";
}else{
echo "NOT EXIST";
}

Unable to alert before redirecting to another php script using header()

I was trying to create a dummy social networking site for practice. I'm stuck in a script which is sending friend request..
i've created a form(with a single text input, a hidden input and submit button) in which a logged in user can enter email address of a friend. When he clicks on the search button, he gets name and email of his friend(fetched using sql)..
With that i have added an anchor tag(named as Send request) displayed near the details. When a user clicks on the anchor tag, he is redirected to a new script which sends friend request to his friend. The second script only deals with mysql.
On sql completion, a user either gets "Friend Request Sent Successfully" alertbox or "Friend Request Already Sent" alertbox based on sql queries. Now i want to redirect the user to the first script after the execution of alertbox.
I tried to use header("Location: send_request.php") after the alertbox. But now it is redirecting user to the first script without showing alertbox.
Here is my first script(named as find_friends.php)
<?php
if(isset($_SESSION)) session_start();
require('header.php');
echo "<form method='POST' action=''>";
echo "<input type='text' name='search_user'/>";
echo "<input type='hidden' name='search_form_status' value='sent'/>";
echo "<input type='submit' value='Search User'/>";
echo "</form>";
if(isset($_POST['search_form_status']) && $_POST['search_form_status']=='sent'){
$search_user = $_POST['search_user'];
$sql_search_user = "SELECT id, name, email FROM registration where email=\"$search_user\"";
$query_search_user = mysql_query($sql_search_user);
$user_check = mysql_num_rows($query_search_user);
if($user_check==1){
$results_search_user = mysql_fetch_assoc($query_search_user);
echo $_SESSION['searched_id'] = $results_search_user['id'];
echo $_SESSION['searched_name'] = $results_search_user['name']."<br/>";
echo $_SESSION['searched_email'] = $results_search_user['email'];
echo "</br/><a href='send_request.php'>Send Request</a>";
}
}
?>
And here is second script(named as send_request.php)
<?php
$db1 = mysql_connect("localhost", "root", "");
mysql_select_db("test", $db1);
$db2 = mysql_connect("localhost", "root", "", true);
mysql_select_db("friends", $db2);
if(!isset($_SESSION)) session_start();
$searched_email = $_SESSION['searched_email'];
$searched_id = $_SESSION['searched_id'];
$user_name = $_SESSION['name'];
$user_email = $_SESSION['email'];
$sql_table_check = "SHOW TABLES LIKE 'friends_".$searched_id."'";
$table_check = mysql_num_rows(mysql_query($sql_table_check, $db2));
if($table_check==1){
$sql_insert_values = "INSERT INTO friends_".$searched_id." VALUES(\"\", \"$user_name\", \"$user_email\", 0)";
if(mysql_query($sql_insert_values)){
echo "<script>alert('Friends Request Sent Successfully')</script>";
header("Location: find_friends.php");
}
else{
echo "<script>alert('Friends Request Already Sent')</script>";
header("Location: find_friends.php");
}
}else{
$sql_create_table = "CREATE TABLE friends_".$searched_id." (friend_id MEDIUMINT NOT NULL AUTO_INCREMENT PRIMARY KEY, friend_name VARCHAR(30) NOT NULL, friend_email VARCHAR(50) NOT NULL UNIQUE, active TINYINT NOT NULL)";
$sql_insert_values = "INSERT INTO friends_".$searched_id." VALUES(\"\", \"$user_name\", \"$user_email\", 0)";
mysql_query($sql_create_table, $db2);
if(mysql_query($sql_insert_values, $db2)){
echo "<script>alert('Friends Request Sent Successfully')</script>";
}
}
?>
Try this:
if(mysql_query($sql_insert_values)){
echo "<script>
alert('Friends Request Sent Successfully');
window.location.href='find_friends.php';
</script>";
}

Webform : how to count and live display results

Update (that one works)
<?php
if (arg(0) == 'node' && is_numeric(arg(1))) {
$nid = arg(1);
$node = node_load($nid);
if ($node->type == 'webform') {
$count = db_result(db_query('SELECT count(*) FROM {webform_submissions} WHERE nid = %d', $nid));
$atelier_1 = "sources" ;
$sql = "SELECT count(*) FROM {webform_submitted_data} WHERE data LIKE \"".$atelier_1."\" ;";
$count_atel_1 = db_result(db_query($sql));
}
}
echo $sql;
echo $count_atel_1;
?>
This webform has been submitted <?php print $count ?> times.
We'd like to use a webform so that our students should register on some workshops.
The webform works great. Now we'd like to display live the number of students that are already register in on of the workshops so that the other should know if there remains some possibilities of registration (each workshop can only accept 20 students at the same time)
I'm trying with that that doesn't work ($atelier_1 = "sources" ;) is the name of one workshop :
<?php
if (arg(0) == 'node' && is_numeric(arg(1))) {
$nid = arg(1);
$node = node_load($nid);
if ($node->type == 'webform') {
$count = db_result(db_query('SELECT count(*) FROM {webform_submissions} WHERE nid = %d', $nid));
$atelier_1 = "sources" ;
$count_atel_1 = db_result(db_query('SELECT count(*) FROM {webform_submitted_data} WHERE data LIKE %d', $atelier_1');
}
}
echo $count_atel_1;
?>
Any help or suggestion welcome
The only way you can show that live, is by creating an ajax in drupal, or with drupal behaviours, or with javascript.

Issue with retrieving Magento Frontend Session

I am trying to retrieve the customer's login status from Flex application using AMF call to the Magento Customer API :
Mage::app('default');
$session = Mage::getSingleton('customer/session', array('name'=>'frontend') );
$sessId= $session->getSessionId();
if($session->isLoggedIn()) {
$name = "Hi ". Mage::getModel('customer/session')->getCustomer()->getName();
return 'true' . $name;
}
else{
return 'false ' . $sessId;
}
Only the PHP session ID is returned:
PHPSESSID=i5s1gcemc6r8uquadc4rsk9ou5
But the user is logged into the below ID
frontend=3qdcimcdp7nq4bi8jlovqmnq61
Let me know if I am missing something here.
Use the following code to get the customer ID
Mage::getSingleton('core/session', array('name' => 'frontend'));
$customer = Mage::getSingleton('customer/session',array('name' => 'frontend'));
echo $customerId = $customer->getCustomer()->getId();