BetterPHP

Hi Jacek,

I have been following your tutorial of PM System. But faced problem in the login part. Everything is already same as the tutorial. When I want to login, this error appears.

Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\wamp\www\private_message_system\core\inc\user.inc.php on line 10
Call Stack
#	Time	Memory	Function	Location
1	0.0008	367344	{main}( )	..\index.php:0
2	0.0018	381808	include( 'C:\wamp\www\private_message_system\core\init.inc.php' )	..\index.php:3
3	0.0060	394288	validate_credentials( )	..\init.inc.php:20
4	0.0066	394728	mysql_num_rows ( )

I had stucked in the login part and couldn't go far. Could you help me..
Thanks so much..Below, I attached my code.

::user.inc.php::

<?php
//check username and password combination
function validate_credentials($user_name, $user_password){
	$user_name = mysql_real_escape_string($user_name);
	$user_password = sha1($user_password);
$result = mysql_query("SELECT 'user_id' FROM 'user' WHERE 'user_name' = '{$user_name}' AND 'user_password' = '{$user_password}'");
	if (mysql_num_rows($result) != 1){
		return false;
	}
	return mysql_result($result, 0);
}
?>

::init.inc.php::

<?php
$core_path = dirname(__FILE__);
if (empty($_GET['page']) || in_array("{$_GET['page']}.page.inc.php",scandir("{$core_path}/pages")) == false){
	header('HTTP/1.1 404 Not Found');
	header('Location: index.php?page=inbox');
	die();
}
session_start();
mysql_connect('127.0.0.1', 'root', '');
mysql_select_db('private_message');
include("{$core_path}/inc/user.inc.php");

if (isset($_POST['user_name'], $_POST['user_password'])){
	if (($user_id = validate_credentials($_POST['user_name'], $_POST['user_password'])) !== false){
		$_SESSION['user_id'] = $user_id;
	header('Location: index.php?page=inbox');	
	die();
	}   
}

if (empty($_SESSION['user_id']) && $_GET['page'] !== 'login'){
	header('HTTP/1.1 403 forbidden');
	header('Location: index.php?page=login');
	die();
}
$include_file = "{$core_path}/pages/{$_GET['page']}.page.inc.php";
echo $include_file;
?>

::login.page.inc.php::

<h1>Login</h1>
<?php
if (isset($_POST['user_name'], $_POST['user_password'])){
	echo 'Login failed';
}
?>

<form action="index.php?page=login" method="post">
	<div>
    	<label for="user_name">Name</label>
    	<input type="text" name="user_name" id="user_name" />
     </div>
     <div>
     
     	<label for="user_password">Password</label>
     	<input type="password" name="user_password" id="user_password" />
     </div>
     
      <div>
     	<input type="submit" value="login"/>
     </div>
     
</form>

::index.php::

<?php
include('core/init.inc.php');
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html versions:-//w3c//DTD XHTML 1.1//EN" xmlns="http://www.w3.org/1999/xhtml"> 
<head>
	<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
	<link rel="stylesheet" type="text/css" href="ext/css/main.css" />
	<title>private Message</title>
</head>

<body>
	<div id="wrap">
    	<?php  include($include_file); ?>
        </div>
</body>
</html>

The error you are getting is really easy to solve.
It's usually because the query is failing, and that is usually because of a typo in the SQL statement.
Adding

echo mysql_error();

after your query should tell you what's wrong.

<?php
//check username and password combination
function validate_credentials($user_name, $user_password){
        $user_name = mysql_real_escape_string($user_name);
        $user_password = sha1($user_password);
$result = mysql_query("SELECT 'user_id' FROM 'user' WHERE 'user_name' = '{$user_name}' AND 'user_password' = '{$user_password}'");

echo mysql_error();
        if (mysql_num_rows($result) != 1){
                return false;
        }
        return mysql_result($result, 0);
}
?>

In this case, it's because you're using single quotes ( ' ) instead of backticks ( ` ) around your row and table names.
This:

SELECT 'user_id' FROM 'user' WHERE 'user_name' = '{$user_name}' AND 'user_password' = '{$user_password}'

Should look like this:

SELECT `user_id` FROM `user` WHERE `user_name` = '{$user_name}' AND 'user_password' = '{$user_password}'

Thanks so much Tumor for your kind help. I already follow your suggestion on putting the

echo mysql_error();

And it's display :

Unknown column 'jacek' in 'where clause'

Can you help me, to figure out what's the problem..The query for Select statement has already been corrected, as follow :

function validate_credentials($user_name, $user_password){
	$user_name = mysql_real_escape_string($user_name);
	$user_password = sha1($user_password);

	$result = mysql_query("SELECT `user_id` FROM `users` WHERE `user_name` = `{$user_name}` AND `user_password` = `{$user_password}`");
	
	echo mysql_error();
	if (mysql_num_rows($result) != 1){
		return false;
	}
	return mysql_result($result, 0);
}

You're not supposed to have backticks around the variable names. You were right in having single quotes around those.
Singleqoutes = Variables.
Backticks = Row and table names.

Thanks a lot Tumor..It's work =) The query is something like this..

$result = mysql_query("SELECT user_id FROM users WHERE user_name = '$user_name' AND user_password = '$user_password' ");