I have been looking at this code for some time and just can not figure anything wron with it.

My Error Message is: Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /hsphere/local/home/gwthorn/htpsinc-web.com/York_County/login.php on line 13

I commeted 13

<?php
session_start();

//The fields are censored but the database does connect.

mysql_connect("-censored-","-censored-","-censored"); 
mysql_select_db("-censored-");

if(isset($_POST['login'])) {
$username = htmlspecialchars($_POST['username'], ENT_QUOTES);
$password = htmlspecialchars($_POST['password'], ENT_QUOTES);
$password = md5($password);
$sql = mysql_query("SELECT * FROM user_system WHERE username='$username' AND password='$password'");

if(mysql_num_rows($sql)>0) { //!!!!!!!!!!!!!!!!!!!!!!!!Line 13
$_SESSION['auth'] = true;
setcookie("avxsystem_user",$username,time()+30*30*30*30*365);
setcookie("avxsystem_pass",$password,time()+30*30*30*30*365);
echo "<p>Login Successful</p>";
}

else {
echo "<p>Sorry, you are unable to login because you have got your username/password combination wrong. Please check spelling & try again.";
}
}
else {
echo $message;
}
?>

That means your query failed. Echo it out and look for an error or use mysql_error() to see what the error is.

i'm not so sure though, but i guess, there's something wrong in your query... with regards to the proper usage of single quotation marks... single quotation marks will be taken literally so for example '$username' is the same as $username (literally) while "$username" will be taken by it's value so for example if $username=50; echo "$username"; ---> the output is 50.

hmmm... i'm not so sure bout this though... i'm still a student...

The quotes are ok.
I think your problem comes from that

htmlspecialchars

piece of code, because if you give an echo to

[B]htmlspecialchars([/B]$_POST[B][[/B]'username'[B]][/B], ENT_QUOTES[B])[/B];

before entering it in the mysql query you will probably see your username string contains at least one # charcater (the password is hashed anyway so doesn't have this problem).

Anyway, if your username string contains a # character, in mysql everything after that char is considered a comment so your sql statement is broken in that point and that's why you get this error.

I suggest you test it first with some simple, clean strings (user: abcd, pass: xyzw) and without

[B]htmlspecialchars[/B]

and see if it works and after that go to more complicated stuff.

johy_d is right. Your problem could well lie within the htmlspecialchars() function.

Only way to identify this is.
Instead of putting the query directly into mysql_query().

Do.

$query = "SELECT * FROM table";
/* This will output your query then exit the script */.
echo $query; exit;
/* run query with mysql error  functionallity */ 
$ret = mysql_query($query) or die(mysql_error());

NOTE: After observing your query, you'll need to remote the exit; or the "echo $query; exit;" So that execution can continue onto the mysql_query() function.

Identify what is working first, before trying to figure out what isnt working.

Any questions just ask.

This article has been dead for over six months. Start a new discussion instead.