I'm a little confused, PHP says $results is a non-object of the mysqli class

Question

I'm trying to fetch results using mysqli->fetch_row() (or fetch_object(), fetch_array()), yet when I go to run the code at run time it gives me the following error:

Fatal error: Call to a member function fetch_row() on a non-object in...on line 23.

The var in question that does this is $results in the code below. $user and $password gain their values from another .php file that this file is being included in so that's not really important at the moment. Now correct me if I'm wrong but if $results is being set = to $db->query($query) then isn't it supposed to inherit the properties of $db aka the mysqli class?

class mySQLHelper{

    public function checkPass($user, $pass){
        global $db;
        $db =  new mysqli();
        $db->connect('localhost', 'root', '', 'mydb');
        if (mysqli_connect_errno()){
            echo 'Can not connect to database';
            echo mysqli_connect_errno(). mysqli_connect_error();
            exit;
            return false;
        }


        $query = "SELECT user, password FROM Users WHERE user = $user AND password = $pass " ;

       echo $query;

        $results = $db->query($query);

        while ($row = $results->fetch_row()){

            echo htmlspecialchars($row->user);
            echo htmlspecialchars($row->password);


        }

        $results->close();

        $url = 'http://'. $_SERVER['HTTP_HOST'].dirname($_SERVER['PHP_SELF'])."/";
        if(!$results){
         //   mysqli_close($db);
          //  header("Location:.$url.login.php&msg=1");

        }

        else{
        //    mysqli_close($db);
        //    header("Location:.$url.featured.php");


        }

    }

}

Answer 1

Your query is failing on this line:

$results = $db->query($query);

Because of this, $results is false - not a result object as you expect.

To fix the issue, you need to add quotes around your variables (or use prepared statements):

$query = "SELECT user, password FROM Users WHERE user = '".$user."' AND password = '".$pass."' " ;

I would suggest updating to use a prepared statement to prevent SQL-injection issues too though:

$stmt = $db->prepare('SELECT user, password FROM Users WHERE user = ? AND password = ?');
$stmt->bind_param('ss', $user, $pass);
$stmt->execute();
$results = $stmt->get_result();

Answer 2

You have to check, if query runs properly:

if ($result = $mysqli->query($query))
{
}

Use: var_dump($results) to check what it contains

Answer 3

Why are you checking if($results) after trying to manipulate it?

This...

$results->close();
//...
if(!$results){
    //...
}

Should be...

if(!$results){
    //...
}
$results->close();

Answer 4

You script is lacking error checking, and therefore the error in the query is not handled.

    $query = "SELECT user, password FROM Users 
    WHERE user = '$user' AND password = '$pass' " ;
    //           ^ quotes needed     

    echo $query;

    $results = $db->query($query);

    // handle a error in the query
    if(!$results)
      die($db->error);

    while ($row = $results->fetch_row()){
        echo htmlspecialchars($row->user);
        echo htmlspecialchars($row->password);
    }

Answer 5

If you user & password field text or varchar, then you need to use single quote around them

$query = "SELECT user, password FROM Users WHERE user = '".$user."' AND password = '".$pass."' " ;