Validate a user name and password

[SilverJester]

Having trouble trying to validate a user name and password. This is my code:

 

	//check username/password	
$user_name_check = mysql_query("SELECT * FROM users WHERE user_name=" . $_POST["user_name"] . "\" AND password=" . $_POST["password"] . "\""); 
if(mysql_num_rows($user_name_check))
{
	//Do stuff here...
}

 

But I get the following error:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /xxxx/xxxxxxxx/xxxxx/xxxxxxxxxxxxx/xxxx.php on line 32

 

Any ideas as to why? $user_name_check is a result set right (which is what the mysql_num_rows() requires)??

[Insecure]

I'm not sure if you plan on keeping your code that way, but I would not use the $_POST in the SQL code, that could cause security issues down the line, but also, I'm not sure why you are putting in "\" in your sql?

 

I would try something like this:

 

$user = $_POST['user_name'];
$pass = $_POST['password'];

"SELECT * FROM users WHERE user_name=$user AND password=$pass"

[Zurev]

Why the slashes in the middle of the query?

 

Try using this and see how it comes back:

$user_name_check = mysql_query("SELECT * FROM users WHERE user_name = '" . $_POST["user_name"] . "' AND password = '" . $_POST["password"] . "'"); 

[Pikachu2000]

Or better still, at a minimum, escape the data properly before using it in a query string, and form the query string separately from the query execution so you have at least a glimmer of hope if you should need to do any debugging.

 

$user = mysql_real_escape_string($_POST['user_name']);
$pass = mysql_real_escape_string($_POST['password']);
$query = "SELECT * FROM users WHERE user_name = '$user' AND password = 'pass'";
$user_name_check = mysql_query($query);

[anupamsaha]

And also, put MySQL field names in backquote operators, so that it never conflicts with MySQL reserve word. E.g. "password" is a MySQL reserve word. Try this:

 

$user = mysql_real_escape_string($_POST['user_name']);
$pass = mysql_real_escape_string($_POST['password']);
$query = "SELECT * FROM `users` WHERE `user_name` = '$user' AND `password` = 'pass'";
$user_name_check = mysql_query($query);

 

Thanks!

[fugix]

And also, put MySQL field names in backquote operators, so that it never conflicts with MySQL reserve word. E.g. "password" is a MySQL reserve word. Try this:

 

$user = mysql_real_escape_string($_POST['user_name']);
$pass = mysql_real_escape_string($_POST['password']);
$query = "SELECT * FROM `users` WHERE `user_name` = '$user' AND `password` = 'pass'";
$user_name_check = mysql_query($query);

 

Thanks!

actually, "password" is not a mysql reserved word...however always placing backticks around you field names will eliminate the risk of triggering an error due to using a mysql reserved word

[Zurev]

And also, put MySQL field names in backquote operators, so that it never conflicts with MySQL reserve word. E.g. "password" is a MySQL reserve word. Try this:

 

$user = mysql_real_escape_string($_POST['user_name']);
$pass = mysql_real_escape_string($_POST['password']);
$query = "SELECT * FROM `users` WHERE `user_name` = '$user' AND `password` = 'pass'";
$user_name_check = mysql_query($query);

 

Thanks!

 

Also I'd like to note, as you get farther into your learning experience, you'll start to do some form of hashing passwords, whether it be MD5 or SHA1, so escaping the password field will actually be detrimental if anything, since it could alter what the user had typed in, and you won't have to worry about injection since it will be an alphanumeric hash.