0

This is my login.php called from the button in the html below

$username = "root";
$password = "******";
$hostname = "localhost";
$dbname = "dbname";

// Create connection
$conn = new mysqli($hostname, $username, $password, $dbname);

// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

$Uname = $_POST['logId'];
$Upass = $_POST['logPass'];
$query= mysql_query("SELECT * FROM user WHERE RegId ='$Uname' AND RegPass ='$Upass'");
$numrows=mysql_num_rows($query);
if($numrows!=0) {
    while($row=mysql_fetch_assoc($query)) {
        $dbUser=$row['RegId'];
        $dbPass=$row['RegPass'];
    }

    if($Uname == $dbUser && $Upass == $dbPass) {
        include 'Home.html';
    }
    else {
        echo "invalid username or password!";
    }
}

$conn->close();

Here is the HTML code 

<div class="container">
  <div class="row">
    <div class="col-md-4 col-md-offset-4">
      <div class="login-panel panel panel-green">
        <div class="panel-heading">
          <h3 class="panel-title">Please Sign In</h3>
        </div>

        <div class="panel-body">
          <form action="loginChk.php" method="post">
            <div class="form-group">
              <label>Please Enter Your Email/Username</label>
              <input class="form-control" placeholder="username/E-mail" name="logId"/ >
            </div>

            <div class="form-group">
              <label>Please Enter Your Password</label>
              <input class="form-control" placeholder="Password" name="logPass" type="password" />
            </div>  

            <div class="checkbox">
              <label>
                <input name="remember" type="checkbox" value="Remember Me" />Remember Me
              </label>
            </div>

            <!-- Change this to a button or input when using this as a form -->
            <input  type="submit" class="btn btn-default" name="logBtn" value="Login"/><br /><br />
            <div class="fb-login-button" data-max-rows="1" data-size="large" data-show-faces="false" data-auto-logout-link="false"></div><br /><br />
            <a href="Register.html" class="btn  btn-info ">Register Here!</a>
          </form>
        </div>
      </div>
    </div>
  </div>
</div>

When i try to login using correct credentials it gives me this.....

Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\xampp\htdocs\LifeGuru\loginChk.php on line 21

Any suggestions?

DreadPirateShawn
  • 8,164
  • 4
  • 49
  • 71
gmSlab
  • 1
  • 3
    You created an instance of mysqli object but you used mysql extension procedural style afterwards. – frz3993 Jul 27 '15 at 20:45
  • `mysql_*` are deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the `MySQLi` or `PDO_MySQL` extension should be used. [Read more](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). Moreover you seem to have mixed `mysql_*` and `mysqli` – Dipen Shah Jul 27 '15 at 20:48
  • Once you get `mysqli` working use prepared statements to avoid SQL injections. http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 – chris85 Jul 27 '15 at 20:51
  • instead of mysql_query use mysqli_query coz you have instance of mysqli() – Prashant Srivastav Jul 27 '15 at 20:54

1 Answers1

0

Here is a completed login script completed in a hurry.

loginChk.php:

<?php
session_start();

//Include db connection
include 'db_connect.php';

//Get inputs and encode password to md5() remove that if no md5 enc.
$Username = mysql_real_escape_string($_POST['logId']);
$Password = md5(mysql_real_escape_string($_POST['Password']));


//Username check query
$Check_if_Username = mysql_query("SELECT * FROM Users WHERE Username = '$Username' AND Password = '$Password'");

//Email check query
$Check_if_Mail = mysql_query("SELECT * FROM Users WHERE Email = '$Username' AND Password = '$Password'");


//Check if Username returns any result
if(mysql_num_rows($Check_if_Username)==1){

    //Data was found, populate variables:
    $data = mysql_fetch_array($Check_if_Username);
    $_SESSION['Username'] = $data['Username'];
    $_SESSION['LoggedIn'] = TRUE;
}

//Otherwise, check for email match
else if(mysql_num_rows($Check_if_Mail)==1){

    //Data was found, populate variables:
    $data = mysqli_fetch_array($Check_if_Mail);
    $_SESSION['Username'] = $data['Username'];
    $_SESSION['LoggedIn'] = TRUE;

}

//No data was found:
else{
    mysql_close();
    header("Location: /login.php?error=invalid data");
    die;
}



//If the user was logged in and the data was found, close mysql connection
mysql_close();

//Then redirect
header("Location: /account.php");

Keep in mind mysql_* is depreciated, try learn the workaround.

Let me know how it worked out for you :)

MrK
  • 1,060
  • 9
  • 23
  • this will fail. Read the manual on `mysqli_query` http://php.net/manual/en/mysqli.query.php then come back and modify your answer and the same for `mysqli_real_escape_string` http://php.net/manual/en/mysqli.real-escape-string.php – Funk Forty Niner Jul 27 '15 at 22:07
  • 1
    you're also suggesting the OP use MD5. I guess you don't know about this then. Here, have a read http://security.stackexchange.com/questions/52461/how-weak-is-md5-as-a-password-hashing-function – Funk Forty Niner Jul 27 '15 at 22:08