Home/ Questions/Q 7952133
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-04T02:46:15+00:00

I’m trying to do a simple logon script. That is, accept form content through

  • 0

I’m trying to do a simple logon script. That is, accept form content through a POST action. Check the database for a matching record. Pull other information from that row such as Full Name.

The code I have is;

if ( !isset($_POST['loginsubmit']) ) {
    //Show login form
    ?>

    <form action="<?php echo htmlentities($_SERVER['PHP_SELF']); ?>" method="post">
        <p>
            Account ID:
            <input name="AccountID" type="text" />
        </p>
        <p>
            Username:
            <input name="userEmail" type="text" />
        </p>
        <p>Password:
            <input name="userPassword" type="password" />
        <p>
            <input name="loginsubmit" type="submit" value="Submit" />
        </p>
    </form>
    <?php
}
else {
    //Form has been submitted, check for logon details
    $sql = "SELECT * FROM users WHERE 'accountID'=". $_POST['AccountID']. " AND     'userEmail'=". $_POST['userEmail'] . " AND 'userPassword'=". $_POST['userPassword']. "     LIMIT 1";
    $result = mysql_query($sql);
    $count = mysql_num_rows($result);
    if ($count == 1){
        echo"Correct Username/Password";
    }
    else {
        echo "Wrong Username or Password";
    }
}

I have two issues. Firstly with the above code, I keep getting the following error.

Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in …

Second, how do I get the other details fields out of the databse. I presume

$result=mysql_query($sql);

contains an array for the MySQL row, so could I do something like;

echo $result['fullName'];
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    First sanitize the fields to prevent SQL injection. 

    $sanitize_fields = array('AccountID','userEmail','userPassword'); 
foreach( $sanitize_fields as $k => $v ) 
{
    if( isset( $_POST[ $v ] ) ) 
        $_POST[ $v ] = mysql_real_escape_string( $_POST[ $v ] ); 
}

    Then quote the string fields in your query. Initially there was an error in your query. That’s why you were getting a boolean value of false. 

    $sql = "SELECT * FROM users WHERE accountID='". $_POST['AccountID']. "' AND userEmail='". $_POST['userEmail'] . "' AND userPassword='". $_POST['userPassword']. "' LIMIT 1";

    I suggest you do the following after running the query to see the error generated by MySQL, if there is one. 

    $result = mysql_query($sql) or die('Query failed: ' . mysql_error());

    The MySQL extension is being phased out and there are newer better extensions such as MySQLi and PDO, have a look at those.

    • 0