Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    Regular Coder
    Join Date
    Sep 2011
    Posts
    116
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Help with login system turning crazy atm

    I have done this atleast a hundred times before, suddenly I just can't anymore-.-.

    Code:

    PHP Code:
    <?php
    include ('inc/config.php');
    mysql_select_db('inlogsysteem'$con) or die;
    $gebruikersnaam $_REQUEST['gebruikersnaam'];
    $wachtwoord sha1($_REQUEST['wachtwoord']);

    $result mysql_query("SELECT wachtwoord FROM gebruikers where gebruikersnaam = '$gebruikersnaam'") or die (mysql_error());
    while (
    $row mysql_fetch_array($result))

    if (
    $wachtwoord != $row['wachtwoord']) {
        echo 
    "Verkeerd wachtwoord";
    }
    else {
    $sql="SELECT * FROM status WHERE gebruikersnaam='$gebruikersnaam'";
    $result2=mysql_query($sql);

    // Mysql_num_row is counting table row
    $count=mysql_num_rows($result2);
    echo 
    $count;
    // If result matched $ip and $password, table row must be 1 row

    if($count==1){
    session_register("gebruikersnaam");
    echo 
    "Logged in";
    }
    else
    echo 
    "not logged in";
    }
    ?>
    My error:

    Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\xampp\htdocs\Login\login.php on line 18

  • #2
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    27,054
    Thanks
    80
    Thanked 4,550 Times in 4,514 Posts
    When mysql_query *FAILS*, the result is a boolean value of false.

    So then when you try to use that false with mysql_num_rows() or course you get that error message.

    You omiitted the or die( )... form your mysql_query statement.

    Code:
        $sql="SELECT * FROM status WHERE gebruikersnaam='$gebruikersnaam'";
        $result2=mysql_query($sql) or die(...whatever you want...);
    As an alternative, you could use
    Code:
        $sql="SELECT * FROM status WHERE gebruikersnaam='$gebruikersnaam'";
        $result2=mysql_query($sql);
        if ( ! $result2 )
        {
             .... do something ...
        } else {
             ... your existing code ...
        ]
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #3
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    27,054
    Thanks
    80
    Thanked 4,550 Times in 4,514 Posts
    COMMENT: Your code is using a bad practice: You give a *different message* for bad user name than you give for bad password.

    For hackers, this makes their job easier. They just try many many user names until they get one that says "bad password" (Verkeerd wachtwoord) and then they keep using that user name while they test many many passwords.

    Might I suggest a better alternative?

    Code:
    $gebruikersnaam = mysql_real_escape_string($_REQUEST['gebruikersnaam']);
    $wachtwoord = sha1($_REQUEST['wachtwoord']); 
    
    $sql = "SELECT 'okay' FROM gebruikers " .
               " WHERE gebruikersnaam = '$gebruikersnaam'" .
               " AND wachtwoord = '$wachtwoord' ";
    $result = mysql_query( $sql ) or die (mysql_error());
    if ( mysql_num_rows($result) == 0 )
    {
         // best would be to redirect them back to the login page
         echo "Bad username or password.";
         exit; 
    }
    ...
    Now the hacker might have the user name *OR* the password correct, but unless both are correct he gets the same message, and so much less help to the hacker.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #4
    Regular Coder
    Join Date
    Sep 2011
    Posts
    116
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Thank you, it works now. Also thanks for the advice. A friend of me told you could also put the mysql_real_escape_string() in the query. Same with the sha1 so it would look like this:

    PHP Code:
    $sql "SELECT * FROM gebruikers WHERE gebruikersnaam = '".mysql_real_escape_string($_POST['gebruikersnaam'])."' AND wachtwoord = '".sha1($_POST['wachtwoord'])."'"
    Should be better, this is for the people which also need something related to this.

    This can be locked.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •