PHP Mysqli issue - please help!!

Hi there, I've got a database set up and it connects just fine, but when trying to log into the admin area I was getting about 10 errors, now I've cut it down to the final two but I can't figure it out. So any help would be greatly appriciated!!



Warning: mysqli_query() expects at least 2 parameters,1 given in/home/content/12/11792312/html/myshop/storeadmin/admin_login.php on line 17

Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result,null given in/home/content/12/11792312/html/myshop/storeadmin/admin_login.php on line 19


and here is the admin login page:

1. <?php
2. session_start();
3. if(isset($_SESSION["manager"])){
4. header("location:index.php");
5. exit();
6. }
7. ?>
8. <?php
9. if(isset($_POST["username"])&& isset($_POST["password"])){
10. $manager = preg_replace('#[^A_Za-z0-9]#i',',', $_POST["manager"]);
11. $password = preg_replace('#[^A_Za-z0-9]#i',',', $_POST["password"]);
12. include"../storescripts/connect_to_mysql.php";
13. $sql = mysqli_query("SELECT * FROM admin WHERE username='$manager' AND password='$password' LIMIT 1");
14. $existCount = mysqli_num_rows($sql);
15. if($existCount ==1){
16. while($row = mysqli_fetch_array($sql)){
17. $id = $row["id"];
18. }
19. $_SESSION["id"]= $id;
20. $_SESSION["manager"]= $manager;
21. $_SESSION["password"]= $password;
22. header("location:../index.php");
23. exit();
24. }
25. else
26. {
27. echo'UberPass Failed - <a href="index.php">Click here</a>';
28. exit();
29. }
30. }
31. ?>
32. [this forum wouldn't let me post the doctype]
    
33. <head>
34. <metahttp-equiv="Content-Type"content="text/html; charset=utf-8"/>
35. <title>Admin Homepage</title>
36. <linkhref="../style.css"rel="stylesheet"type="text/css"/>
37. </head>
38. <body>
39. <divid="mainwrapper">
40. <?php include_once("../template_header.php");?>
41. <divid="maincon">
42. <formid="form1"name="form1"method="post"action="http://www.uberdelic.com/myshop/storeadmin/admin_login.php">
43. <p>Username:
44. <inputname="username"type="text"id="username"size="40"/>
45. </p>
46. <p>Password:
47. <inputname="password"type="password"id="password"size="40"/>
48. </p>
49. <p>
50. <inputtype="submit"name="button"id="button"value="Log In"/>
51. </p>
52. </form>
53. </div>
54. <?php include_once("../template_footer.php");?>
55. </div>
56. </body>
57. </html>

 

http://www.w3schools.com/php/func_mysqli_query.asp

I think you need to put 2 parameters, SELECT query and connection from database. Look at w3

 

Now first, the riot act. This is 2014, not 2006 -- you have no business using the mysql_ functions; hence the giant red warning boxes in the manual to that end. You should be using PDO or mysqli. (I prefer PDO)... and you'd probably get more meaningful help in the PHP section of these forums.

That said, your logic makes no sense -- Did you mean for this line:

$manager = preg_replace('#[^A_Za-z0-9]#i',',', $_POST["manager"]);

Code (markup):

to be:

$manager = preg_replace('#[^A_Za-z0-9]#i',',', $_POST["username"]);

Code (markup):

Since given your FORM this is the only way it would make ANY sense? You also aren't encoding your passwords (bad)... there's no reason to be counting rows or doing WHILE since you've got limit 1 set, though really you should have the table set up so you should NEVER get more than one result from that query anyways since usernames should be unique... Of course, dicking around with header redirects when the user is logged in isn't all that great an idea either; neither is up-tree linking an include (meaning your project's directory structure is probably banjaxed).

You also should NEVER make a query that recovers the password and puts it into $_SESSION; good practice is to make sending passwords mono-directional to the database.

Oh, and you shouldn't use LIST to show code -- that's why it choked on your doctype -- we have a CODE bbtag as well as a PHP one (I prefer the former because I find colour syntax highlighting completely illegible). They also preserve tabs, which may have helped make understanding your code a bit easier. That said it might help if you had a COMPLETE form -- where are your LABELs and FIELDSET?

I'm guessing wildly, but your PHP should probably go something like this:

<?php
session_start();
if (isset($_SESSION["manager"])){
	header("location: index.php");
	exit();
}

if (!empty($_POST['username']) && (!empty$_POST['password'])) {
	include('pdoConnect.php'); // should create $db as a connected PDO object
	$statement = $db->prepare('
		SELECT id, manager FROM admin
		WHERE username = :user
		AND password = :pass
	');
	$statement->execute([
		':user' => $_POST['username'],
		':pass' => hash('sha256', $_POST['password']) 
		// you should ALWAYS hash the pass
	]);
	if ($row = $statement->fetch(PDO::FETCH_ASSOC) {
		$_SESSION["id"] = $row['id'];
		$_SESSION["manager"] = $row['manager'];
		header("location: index.php");
	} else echo 'UberPass Failed - <a href="index.php">Click here</a>';
}
?>

Code (markup):

You'd need a different connection php to set up the PDO object instead of the outdated outmoded insecure mysql_ crap. Something like:

<?php
	$db = new PDO(
		'mysql:hostname=localhost;dbname=yourDatabase',
		'userName', // user
		'xxxxxx' // pass
	);
?>

Code (markup):

(though $db being global scope with no callback verification isn't very secure)

Then there's your form...

I'd probably have ALL of the above in a function in the template_header since 90%+ of that code would be identical across pages too. If you had a single 'template.php' with two functions (one for header, one for footer, footer including closing out </body> and </html>) you could then pass values like TITLE, META[keywords] and META[desc] to the templateHeader function. For now I'll leave that be.

There is NO reason to put NAME on a form anymore, well, unless you REALLY need to support Nyetscape 4 style javascripts... Welcome to 1998.

Labels and inputs are NOT grammatical / flow paragraphs

Might be better to make the input ID more unique should you want to show more than one login on the page

Unless you have multiple submit, there is no reason to have name on them, likewise I'd not use ID="button" since that's a VERY generic name to have on a UNIQUE identifier. class="submit" is usually safer since you can target it off the parent if specificity matters.

... and of course, actually having SEMANTIC markup and a complete form wouldn't hurt.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html
	xmlns="http://www.w3.org/1999/xhtml"
	lang="en"
	xml:lang="en"
><head>

<meta
	http-equiv="Content-Type"
	content="text/html; charset=utf-8"
/>

<meta
	http-equiv="Content-Language"
	content="en"
/>

<meta
	name="viewport"
	content="width=device-width; height=device-height; initial-scale=1.0"
/>

<link
	type="text/css"
	rel="stylesheet"
	href="screen.css"
	media="screen,projection,tv"
/>

<title>
	Admin Homepage
</title>

</head><body>

<div id="mainWrapper">

<?php
	include_once("../template_header.php");
?>

<div id="maincon">
	<form id="form1" method="post" action="admin_login.php">
		<fieldset>
			<label for="form1_username">Username:</label>
			<input type="text" id="form1_username" name="username" size="40" />
			<br />
			<label for="form1_password">Password:</label>
			<input type="password" id="form1_password" name="password" size="40" />
			<br />
			<input type="submit" class="submit" value="Log In" />
		</fieldset>
	</form>
<!-- #mainCon --></div>

<?php include_once("../template_footer.php");?>

<!-- #mainWrapper --></div>

</body></html>

Code (markup):

I'd probably also have something slightly less vague than "form1" on the ID... lemme guess, some steaming pile of crap like Dreamweaver did that?

 

Hi Shadow,

I'm really sorry about the late reply! I did use your advice and I went on to learn a lot!
I've nearly got a fully functional Estore now, the only problems I'm having now are with the cart but they're issues for a different post methinks.

Anyway thanks a lot for your help!!