PHP session login form using MySQL

Question

When I enter the username and password I get a warning like this:

Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, array given in /home/data/www/z1760359/public_html/group/connectivity.php on line 18

And

Incorrect password or username.

I have typed the correct credentials . The structure of my database is:

 member ID  firstName  lastName  userName  password

Here are my index.php and connectivity.php

index.php

<?php
session_start(); 
?>
<html>
<head>
<style>
#login
{

    position:absolute;
    top: 30%;
    bottom: 30%;
    left:30%;
    right:30%;
    margin: 0px auto;
}

</style>
</head>
<body>
<?php


echo"<center>";
echo"<div id=\"login\">";

echo"<form method=\"POST\" action=\"connectivity.php\">";
echo"<b>Username</b>  <input type =\"text\" name=\"username\">";
echo"<br/><br/>";
echo"<b>Password</b>&nbsp;<input type =\"password\" name=\"password\">";
echo"<br/><br/>";
echo"<input type=\"submit\" value=\"submit\">";

echo"</div>";
echo"</center>";
?>

</body>
</html>

Connectivity

<?php
$username = $_POST['username'];
$password = $_POST['password'];
$host="localhost";
$uname="user";
$pword="";
$db="z1760359";
$conn=mysqli_connect($host,$uname,$pword,$db) or die("Oops something went  wrong");
session_start();

$query="Select firstName  from member where userName='$username' AND password='$password'";

if(!empty($_POST['username'])) 
{
$query_first=mysqli_query($conn,$query) or die(" Query not retrieved");
//mysqli_error($query_first);
$query_second=mysqli_fetch_assoc($query_first);
$rows=mysqli_num_rows($query_second);
if($rows ==1)
{
    $_SESSION['user_name']=extract($query_second);
    echo"login successfull";
    sleep(3);
    header('Location:search.php');
}
else
{
    echo"Incorrect Password or Username";
}


}
else
{
echo"please enter the password or username";

}


?>

**WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. In this short example you have a number of dangerous [SQL injection vulnerabilities](http://bobby-tables.com/) coming from a reckless lack of [proper escaping](http://bobby-tables.com/php). Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](http://laravel.com/docs/security) built-in. — tadman, Apr 21 '15 at 17:40
um... why did you un-accept my answer? is there something I'm not grasping here? — Funk Forty Niner, Apr 21 '15 at 18:57
*"Try $query_first instead of $query_second"* - Huh? that's a freakin' comment. You accepted my answer then decided to switch to another; why? You're not an ethical person. — Funk Forty Niner, Apr 21 '15 at 19:05
Sorry , I gave it to you . Idk how it went to some other guy — Adarsh Jayakumar, Apr 21 '15 at 19:20

score 7 · Accepted Answer · edited May 23 '17 at 11:53

7

You're using the wrong variable $query_second in:

$rows=mysqli_num_rows($query_second);

which should be $query_first for your query and not for mysqli_fetch_assoc().

$rows=mysqli_num_rows($query_first);

Sidenotes:

Your present code is open to SQL injection. Use mysqli with prepared statements, or PDO with prepared statements.

I noticed you may be storing passwords in plain text. If this is the case, it is highly discouraged.

For password storage, use CRYPT_BLOWFISH or PHP 5.5's password_hash() function. For PHP < 5.5 use the password_hash() compatibility pack.

As a matter of fact, ircmaxell put up an answer earlier in regards to using PDO (prepared statements) with password_hash().

Have a look https://stackoverflow.com/a/29778421/

Edit:

"How can i store firstName from the database to $_SESSION['user_name'] ?"

$username = $_POST['username']; 

$_SESSION['user_name'] = $_POST['username'];
$saved_session = $_SESSION['user_name'];
echo $saved_session;

edited May 23 '17 at 11:53

Community

1
1

answered Apr 21 '15 at 17:09

Funk Forty Niner

74,450
15
68
141

1

Alternatively you can `count($query_second)`. – user487772 Apr 21 '15 at 17:11
How can i store firstName from the database to $_SESSION['user_name'] ? – Adarsh Jayakumar Apr 21 '15 at 19:21
@AdarshJayakumar try `$username = $_POST['username']; $_SESSION['user_name'] = $username;` – Funk Forty Niner Apr 21 '15 at 19:23
I want to retrieve firstName from the SQL query to be stored in session and not username from the form – Adarsh Jayakumar Apr 21 '15 at 19:27
@AdarshJayakumar reload my answer and look under **Edit:** near the bottom. – Funk Forty Niner Apr 21 '15 at 19:33
@fred When i hst the file and run it i get some thing like this --------> login successfull , Warning: Cannot modify header information - headers already sent by (output started at /home/data/www/z1760359/public_html/group/connectivity.php:24) in /home/data/www/z1760359/public_html/group/connectivity.php on line 27 – Adarsh Jayakumar Apr 22 '15 at 00:08
@AdarshJayakumar that's because you have output before your PHP. Please read the following on Stack http://stackoverflow.com/q/8028957/ - but you need to post a new question, as this one has already been answered and have helped you out more than many would. – Funk Forty Niner Apr 22 '15 at 00:10

score 0 · Answer 2 · answered Apr 21 '15 at 18:50

0

Try $query_first instead of $query_second

answered Apr 21 '15 at 18:50

psj01

3,075
6
32
63

PHP session login form using MySQL

2 Answers2