Why is this php mysqli script giving me no results?

Question

I have been working with this script for a while and I do not understand why it is giving me no results when the username and password exist. I have checked the capitalization and everything. I have attempted to edit my script to work with this link but alas no results. Here is a screenshot of the database user:. Thanks for your help!

$sql = "SELECT Status FROM Users WHERE Username = '".$_GET["username"]."' AND Password = '".$_GET["password"]."'";
$result = $conn->query($sql);

if ($result->num_rows > 0) {
    // output data of each row or remove while loop if you wish
    while($row = $result->fetch_assoc()) {
        echo $row['Status'] ;
    }
} else {
    echo "0 results";
}
$conn->close();

Edit: I also tried this code, which gave me the error "Getting property of non-object on line 16 (which here is line 9):

$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}
$sql = "SELECT Status FROM Users WHERE Username = '".$_GET["username"]." AND Password = '".$_GET["password"]."'";
$result = $conn->query($sql);

if ($result->num_rows > 0) {
    // output data of each row or remove while loop if you wish
    while($row = $result->fetch_assoc()) {
        echo $row['Status'] ;
    }
} else {
    echo "0 results";
}
$conn->close();
?>

Edit: I did fix my SQL injections problem, thanks for the advice!

Hopefully because you hashed the passwords before storing them? — Don't Panic, Nov 29 '17 at 21:45
Or maybe because num_rows doesn't give you the number of rows until you've fetched all the results? — Don't Panic, Nov 29 '17 at 21:47
Your code is vulnerable to SQL injections. Please learn to use [prepared statements](https://www.youtube.com/watch?v=nLinqtCfhKY) instead. — tereško, Nov 29 '17 at 21:47
And in case you did not hash passwords (which you should do), then try to output what is in $_GET['username'] and $_GET['password'], you might be using a POST request on your form (common for submitting a login form) — flynorc, Nov 29 '17 at 21:48
[Little Bobby](http://bobby-tables.com/) says **[you may be at risk for SQL Injection Attacks](https://stackoverflow.com/q/60174/)**. Learn about [Prepared Statements](https://en.wikipedia.org/wiki/Prepared_statement) with [parameterized queries](https://stackoverflow.com/a/4712113/5827005). I recommend `PDO`, which I [wrote a class for](https://github.com/GrumpyCrouton/GrumpyPDO) to make it extremely easy, clean, and more secure than using non-parameterized queries. Also, [This article](https://phpdelusions.net/pdo/mysqli_comparison) may help you choose between `MySQLi` and `PDO` — GrumpyCrouton, Nov 29 '17 at 21:49
**Never store plain text passwords!** Please use **PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)** (`password_hash()` and `password_verify()`) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). **It is not necessary** to [escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so _changes_ the password and causes unnecessary additional coding. — GrumpyCrouton, Nov 29 '17 at 21:49
You should do prepare statements, and you could do hash on your password for more security, here let you a references: [Prepare statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) , [Password hash](http://php.net/manual/es/function.password-hash.php) , [Password verify](http://php.net/manual/en/function.password-verify.php) Edit: You too should use `filter input` for you variables `GET` AND `POST` You have a good read on this [post](https://stackoverflow.com/questions/15102796/when-to-use-filter-input) You should redo the code based on this. — Ramsés Fernández, Nov 29 '17 at 22:05
@everyone I'll have to look up the password hashing and prepared statements... Thanks. — Mark Deven, Nov 30 '17 at 11:52

score 0 · Accepted Answer · answered Nov 29 '17 at 22:12

0

I tried your code as followed, Its working on my machine. Can you make sure of the $conn object creation. Also please enable the errors if not to see whats going wrong.

$conn = new mysqli('localhost','user','password','db');

$sql = "SELECT Status FROM Users WHERE Username = '".$_GET["username"]."' 
AND Password = '".$_GET["password"]."'";
$result = $conn->query($sql);

if ($result->num_rows > 0) {
// output data of each row or remove while loop if you wish
    while($row = $result->fetch_assoc()) {
        echo $row['Status'] ;
    }
} else {
    echo "0 results";
}
$conn->close();

answered Nov 29 '17 at 22:12

NarinderKaur Makkar

16
2

It gives me no errors, just says 0 Results when the person does exist in the table – Mark Deven Nov 30 '17 at 11:36
After testing this script with 2 professional coders, myself and writing the URL that triggers it like twenty times, I was spelling example wrong. :/ Sorry for wasting your time, I'm going to go die in a corner now. – Mark Deven Nov 30 '17 at 11:49

Why is this php mysqli script giving me no results?

1 Answers1