Hello there I am trying some sql injections.. in my website to see if it's vulnerable or not so I first did the username/password injection: username='x' or 'x'='x' and password='x' or 'x'='x' so I've got this error:

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /www/XXXX.com/x/x/x/XXXX/XXXXX/XXXXX.php on line 24

then I've added into the url note=note1' and I've got the same error so my website is not vulnerable how is that and I haven't done anything to increase the security...
thanks.
Your not giving enough info for us to help you.
If you want a real answer, show us the code you're using.
that's the php functions for the login:
function connectMaBase(){
$base = mysql_connect ('websitename', 'user', 'pass');
if (!$base) {
    die('cannot connect to the database, data error' );
}
$db_selected = mysql_select_db ('website', $base) ;
if (!$db_selected) {
   die ('cannot connect to the database, database does not exist' );
}
}

function login($usern,$psd)
{
connectMaBase();
$pass="";
$int=0;
$result1 = mysql_query("select count(username) from user where username='".$usern."'");
while ($row = mysql_fetch_array($result1)) {
   $int=$row{'count(username)'};
   }
   if($int!=0){
$result = mysql_query("SELECT Password FROM user where Username='".$usern."'");
//fetch that data from the database 
while ($row = mysql_fetch_array($result)) {
   $pass=$row{'Password'};
   
   }
   
 if($psd==$pass && $pass!="")
 {
echo "<script type=\"text/javascript\">
 window.location.replace(\"http://nextpageurl\");
</script>";

 }
 elseif($psd!=$pass && $psd!="")
 {
 echo "wrong password";
 }
 }
 else
 {
 echo "you are not a registered user";
 }

//close the connection
mysql_close();

}
and that's the get function in the other page where I am inserting note=note' in the url ...
function finddata($ntn){
connectMaBase();
$int=0;
$txt="";
$result1 = mysql_query("select count(NoteName) from Note where NoteName='".$ntn."'");
while ($row = mysql_fetch_array($result1)) {
   $int=$row{'count(NoteName)'};
   }
   if($int==0){
   $txt="this note does not exist";
    }
else{
$result2 = mysql_query("select NoteText from Note where NoteName='".$ntn."'");
while ($row = mysql_fetch_array($result2)) {
   $txt=$row{'NoteText'};
   }
}
mysql_close();
return $txt;
}
and I have a get form where I have a textarea and a textbox in the textbox you insert the name of the note and you press the find key that executes the findata function and gets you the text of this note....
at first look you have a very ugly code 
<?php 

	public function checkLogin($email=0,$password=0)
	{
		$query = "
					SELECT id
					FROM users
					WHERE email = '$email'
					AND password = '$password'
					AND confirm = '1'
					LIMIT 0,1
		";

		$result = mysql_query($query);
		
		if($result)
		{
			$row = mysql_fetch_object($result);
			return $row;
		}
		else
		{
			return false;
		}
?>
for sql injection they usually test: ' 1 = '1 (watch for the first single quote)
or you can try: '1 = '1'; -- ( the double dash mean ignore the rest )
i guess in your case its not working because you have the username sql statement alone and the password statement alone
rtp wroteat first look you have a very ugly code
why I have an ugly code, ugly as not ordered or ugly as what?
what I need to know is if we fixed those problems by changing the way that the php software deals with it such as easy-php or something or do we still have the problem(SQL injection) but people are now trying to solve it by adding some extra lines to their codes?
your code looks overly complicated for no reason, like having a while inside the sql statement.
the function should be as simple as mine, at least that is my humble opinion.
i use this function for sql injection
mysql_real_escape_string($postString);
I actually have a function just in case i want to change how i safe guard my post i will change it one place and all the website will be fixed as well in just one line of code. The below function should protect aginst SQL INJECTION and XSS if my memory serves me well.
function secure_insert($text="")
{
    $text_new = mysql_real_escape_string(htmlentities($text,ENT_QUOTES));
    return $text_new;
}
ok so with the first function you are removing the special characters such as / ... and the other one you are removing the quotes right?
And I just wanted to know if they did not fix those problems yet by updating the php compilers or we should fix that by inserting some code..? plus do you know why the injection is not working with the url I am placing note=note' order by... but that's not working..
lots of threats to deal with why don't we just use asp.net....
And yeah I know that my code is a little complicated but I just like to return an error message for the exact error.. that's why... :)
i cant remember how it works, but i do remember it works. Yeah mainly adding \ for the single quote and what not and not allowing special characters to be inserted i think.

don't know why its not working but the idea is that you inject OR (something that is true always) that is how you vipass the first statment.
Now what you can do is var_dump($result1) and var_dump($result) and read the sql that is being generated. Try to see if it bypasses by taking it and running it inside phpmyadmin and see at the result...

nobody is stopping you from using asp.net, unless you work for a company then the company is.

sorry don't have time to dig deep into your code and check the problem, i guess you ahve to do it yourself.

if you have some quick questions i will try to help out.
ok, thanks :) just one last thing did not understand what you told me about var_dump($result)... thanks.
var_dump is a function that is used mainly for debugging, its like echo but can go threw array and stuff which make it good for debugging.
use that to see the sql that is being generated and then take the generated sql and play around on phpmyadmin. 
var_dump($sql);
sorry i ment $sql and not the result
for example 
$sql = "select count(username) from user where username='".$usern."'";

var_dump($sql); // this way you can check what is happening to the sql after the sql injection 

mysql_query($sql);
nice, thanks.