Solved

Error not displaying if credentials incorrect

Posted on 2016-09-16
12
34 Views
Last Modified: 2016-09-16
I am sure it is something simple but I can't seem to figure out why this is happening. If I put in the correct username and password the message displays. If I put in the incorrect credentials I get a blank page and the error doesn't display. Like I said, it is probably something minor but I can't seem to get it. I tried to see if there was a database error using $link->error; but that didn't produce anything either.

if (isset($_POST['login'])) {
		
		$username = $link->real_escape_string($_POST['username']);
		$password = $link->real_escape_string($_POST['password']);

		
		$sql = "SELECT user_username, user_firstname, user_lastname, user_id, user_password, user_role FROM `users` WHERE    user_username = '$username' LIMIT 1";
			                $result = $link->query($sql);
				        if ($result->num_rows == 1){
					$row = $result->fetch_assoc();
					$db_password = $link->real_escape_string($row['user_password']);
					if (password_verify($password, $db_password)) {
						
				       echo " valid credentials";

					}
					
					else {
						
							echo "error";
						}
				}
	}

Open in new window

0
Comment
Question by:Black Sulfur
  • 7
  • 5
12 Comments
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41801681
The issue is probably in the password_verify() function: please, post here its code.
0
 

Author Comment

by:Black Sulfur
ID: 41801690
I don't have code for it. Isn't it a standard php function?

http://php.net/manual/en/function.password-verify.php
0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41801710
Lol, you're right! I never used it.
Okay, your code is executed only if the query return a result set, so if you type a wrong username the code is not executed and the error message is not executed. You are testing with a wrong username or a wrong password?
0
Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

 
LVL 31

Accepted Solution

by:
Marco Gasi earned 500 total points
ID: 41801716
You can try this:
		if (isset($_POST['login'])) {

			$username = $link->real_escape_string($_POST['username']);
			$password = $link->real_escape_string($_POST['password']);


			$sql = "SELECT user_username, user_firstname, user_lastname, user_id, user_password, user_role FROM `users` WHERE    user_username = '$username' LIMIT 1";
			$result = $link->query($sql);
			if ($result->num_rows == 1) {
				$row = $result->fetch_assoc();
				$db_password = $link->real_escape_string($row['user_password']);
				if (password_verify($password, $db_password)) {

					echo " valid credentials";
				} else {

					echo "error";
				}
			}else{
				echo "error";
			}
		}

Open in new window

0
 

Author Comment

by:Black Sulfur
ID: 41801778
Okay, it is now at least showing "error" with your code.

I am checking username and password because the SQL query is checking if the username POST is equal to any username in the database. If it is, then it needs to check the password against the hashed password. If there is a match with both then do something like take to admin area otherwise display an error message.

So, I just changed the second echo to "invalid credentials" but even if the login is incorrect it still displays "error". So, why does it show "error" and not "invalid credentials". I don't understand that?


if (isset($_POST['login'])) {
		
		$username = $link->real_escape_string($_POST['username']);
		$password = $link->real_escape_string($_POST['password']);

		
		$sql = "SELECT user_username, user_firstname, user_lastname, user_id, user_password, user_role FROM `users` WHERE user_username = '$username' LIMIT 1";
			$result = $link->query($sql);
				if ($result->num_rows == 1){
					$row = $result->fetch_assoc();
					$db_password = $link->real_escape_string($row['user_password']);
					if (password_verify($password, $db_password) && $username == $row['user_username']) {
						
				echo " valid credentials";
				} else {

					echo "invalid credentials";
				}
			}else{
				echo "error";
			}
		}

Open in new window

0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41801784
Because you have changed the first echo, not the second :)
0
 

Author Comment

by:Black Sulfur
ID: 41801787
What is the first echo for if you will never see it?
0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41801799
Look at the code logic:
get username and password from the input
select data from db where username = input username
if query gives result
                check password
                if ok
                        echo 'Valid credentials'
                else
                       echo 'Invalid credentials'
if query gives no result (the username is wrong)
       echo 'error'

That is if username is wrong you see only the last error message, if the username is right but the password is wrong you'll see only the previous error message.
1
 

Author Comment

by:Black Sulfur
ID: 41801807
Ah, I see. Do you have any suggestions to change it so that I only have 2 conditions instead of the 3?
0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41801830
Not indeed. You can slightly change the code setting a flag this way:
		if (isset($_POST['login'])) {

			$username = $link->real_escape_string($_POST['username']);
			$password = $link->real_escape_string($_POST['password']);

			$error = false;
			$sql = "SELECT user_username, user_firstname, user_lastname, user_id, user_password, user_role FROM `users` WHERE    user_username = '$username' LIMIT 1";
			$result = $link->query($sql);
			if ($result->num_rows == 1) {
				$row = $result->fetch_assoc();
				$db_password = $link->real_escape_string($row['user_password']);
				if (!password_verify($password, $db_password)) {
					$error = true;
				}
			}else{
				$error = true;
			}
			if ($error){
				echo 'Invalid credentials';
			}else{
				echo 'Valid credentials';
			}
		}

Open in new window

but it doesn't change so mutch: you must check username and password separately anyway.
0
 

Author Comment

by:Black Sulfur
ID: 41801835
I see, not too much different. Okay, at least I understand what is going on now thanks to your great explanation! Thanks again! :)
0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41801866
Glad to help you.
Anyway, I would use the last snippet here: you have never to give too mutch informations about what went wrong with the login process in order to avoid to help bad guys around. Only one text message like 'Invalid credentials' i good enough.
In addition, the last snippet i more near to the correct code for a function: it should just return the variable $error (never echo from within a function) to the calling code which will use the returned value to print a message:
		function process_login_data($link, $username, $password){
			$error = false;
			$sql = "SELECT user_username, user_firstname, user_lastname, user_id, user_password, user_role FROM `users` WHERE    user_username = '$username' LIMIT 1";
			$result = $link->query($sql);
			if ($result->num_rows == 1) {
				$row = $result->fetch_assoc();
				$db_password = $link->real_escape_string($row['user_password']);
				if (!password_verify($password, $db_password)) {
					$error = true;
				}
			}else{
				$error = true;
			}
			return $error;
		}

//calling code
		if (isset($_POST['login'])) {

			$username = $link->real_escape_string($_POST['username']);
			$password = $link->real_escape_string($_POST['password']);

			if (process_login_data($link, $username, $password)){
				echo 'Invalid credentials';
			}else{
				echo 'Valid credentials';
			}
		}

Open in new window

1

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Popularity Can Be Measured Sometimes we deal with questions of popularity, and we need a way to collect opinions from our clients.  This article shows a simple teaching example of how we might elect a favorite color by letting our clients vote for …
This article discusses four methods for overlaying images in a container on a web page
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question