mysql_num_rows没有返回任何行

Question

So, I have some code. I know that mysql_num_rows is deprecated, but since I've already used it I don't want to switch everything to mysqli_. Anyway it was working on my local server and returning 1 or more results based on the entry. This is a PHP login script that I'm trying to get to work. When I uploaded the script to my hostgator server it didn't work. I also checked the PHP version and it mysql_num_rows() shouldn't be deprecated in version 5.4.xxx.

When I try doing a test query of just SELECT * FROM customers it returns one row, but it's not returning anything when I search for where the user and password equal the posted variables. It's frustrating me, and I could use a second set of eyes to look at this.

<?php
include('mysql_connect.php');
if(isset($_POST['submit'])) {
  if(isset($_POST['cususername']) AND isset($_POST['cuspassword'])) {
    $username = $_POST['cususername'];
    $password = md5($_POST['cuspassword']);
        $query = "SELECT * FROM customers WHERE username = '" . $username . "' AND 
        password = '" . $password . "'";
        $returned_user = mysql_query($query);
        $number_of_users = mysql_num_rows($returned_user);
        if($number_of_users > 0){
            echo "It got this far!";
            $customer_array = mysql_fetch_array($returned_user);
            $_SESSION['user_logged'] = 1;
            $_SESSION['id'] = $customer_array['customer_id'];
            $_SESSION['user_name'] = $customer_array['username'];
        }
  } 
}

?>
<?php 
if(isset($_REQUEST['loggoff'])) {
  unset($_SESSION['user_logged']);
  unset($logged_status);
}

if(isset($_SESSION['user_logged'])) { 
    $logged_status = $_SESSION['user_logged']; 
}

if(isset($logged_status)) {
  if($logged_status == 1) {
      echo "You are logged in as " . $_SESSION['user_name'] . ", Click here to <a href='" . $_SERVER['PHP_SELF'] . "?loggoff=1'>Log off</a>" . "<br>";
  }
}
else {?>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" id="customerlogin">
    <input type="text" name="cususername" id="cususername" />
    <input type="password" name="cuspassword" id="cuspassword" />
    <br />
    <input type="submit" name="submit" value="Login" />
</form>
<?php}?>

Answer 1

You should check if you have an mysql_error in your query. Btw. you should mysql_real_escape your POST data before use in a mysql_query

If you would use columns names as array index you must use mysql_fetch_assoc() instead of mysql_fetch_array();

Try this Code:

<?php
include('mysql_connect.php');
if( isset( $_POST['submit'] ) )
{

    if( isset( $_POST['cususername'] ) AND
        isset( $_POST['cuspassword'] ) )
    {
        // Prevent mysql injection
        $username = mysql_real_escape_string( $_POST['cususername'] );
        $password = md5( $_POST['cuspassword'] );

        $query = "SELECT * FROM `customers` WHERE `username` = '" . $username . "' AND `password` = '". $password ."'";

        $result = mysql_query( $query );

        // Check if error
        if( mysql_errno() !== NULL )
        {
            exit(   "An mysql_error has occured: \r\n".
                    "Err-No: " . mysql_errno() . "\r\n".
                    "Err-Msg: " . mysql_error()
                );
        }

        // Everything is okay .. Go on
        $iRows = mysql_num_rows( $result );

        // Check if only one user was found
        if( $iRows === 1 )
        {
            echo "It got this far!";

            $customer = mysql_fetch_assoc( $result );

            // Use boolean value instead of numbers
            $_SESSION['user_logged']    = true;
            $_SESSION['id']             = $customer['customer_id'];
            $_SESSION['user_name']      = $customer['username'];
        }
    }
}

I hope I could help you.

If this code wouldn't work try to output the generated sql statment and try it self in your SQL Admintool (eg phpMyAdmin).

Sorry for my bad english :/

Answer 2

One Suggestion. Rather Than 'AND'. Use '&&'. Some Codes do not execute using AND in if conditon. Just a suggestion.

if(isset($_POST['cususername']) && isset($_POST['cuspassword']))

Answer 3

Ok guys, and for all those with a similar problem searching. Here is my answer. The password field wasn't matching up with the inputted $_POST . So, I got online and looked up an answer. Come to find out the password was varchar(25) , which was cutting off the md5 hash. This was what was causing MySQL_NUM_ROWS() to return 0. Don't worry I will add MySQL injection prevention to my script as suggested by few of you, including Chris Wittor. Also, I know that md5 is an outdated way of encypting the information, but it's better than plain text.