Solved

Error not displaying if credentials incorrect

Posted on 2016-09-16
12
36 Views
Last Modified: 2016-09-16
I am sure it is something simple but I can't seem to figure out why this is happening. If I put in the correct username and password the message displays. If I put in the incorrect credentials I get a blank page and the error doesn't display. Like I said, it is probably something minor but I can't seem to get it. I tried to see if there was a database error using $link->error; but that didn't produce anything either.

if (isset($_POST['login'])) {
		
		$username = $link->real_escape_string($_POST['username']);
		$password = $link->real_escape_string($_POST['password']);

		
		$sql = "SELECT user_username, user_firstname, user_lastname, user_id, user_password, user_role FROM `users` WHERE    user_username = '$username' LIMIT 1";
			                $result = $link->query($sql);
				        if ($result->num_rows == 1){
					$row = $result->fetch_assoc();
					$db_password = $link->real_escape_string($row['user_password']);
					if (password_verify($password, $db_password)) {
						
				       echo " valid credentials";

					}
					
					else {
						
							echo "error";
						}
				}
	}

Open in new window

0
Comment
Question by:Black Sulfur
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
12 Comments
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41801681
The issue is probably in the password_verify() function: please, post here its code.
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41801690
I don't have code for it. Isn't it a standard php function?

http://php.net/manual/en/function.password-verify.php
0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41801710
Lol, you're right! I never used it.
Okay, your code is executed only if the query return a result set, so if you type a wrong username the code is not executed and the error message is not executed. You are testing with a wrong username or a wrong password?
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 31

Accepted Solution

by:
Marco Gasi earned 500 total points
ID: 41801716
You can try this:
		if (isset($_POST['login'])) {

			$username = $link->real_escape_string($_POST['username']);
			$password = $link->real_escape_string($_POST['password']);


			$sql = "SELECT user_username, user_firstname, user_lastname, user_id, user_password, user_role FROM `users` WHERE    user_username = '$username' LIMIT 1";
			$result = $link->query($sql);
			if ($result->num_rows == 1) {
				$row = $result->fetch_assoc();
				$db_password = $link->real_escape_string($row['user_password']);
				if (password_verify($password, $db_password)) {

					echo " valid credentials";
				} else {

					echo "error";
				}
			}else{
				echo "error";
			}
		}

Open in new window

0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41801778
Okay, it is now at least showing "error" with your code.

I am checking username and password because the SQL query is checking if the username POST is equal to any username in the database. If it is, then it needs to check the password against the hashed password. If there is a match with both then do something like take to admin area otherwise display an error message.

So, I just changed the second echo to "invalid credentials" but even if the login is incorrect it still displays "error". So, why does it show "error" and not "invalid credentials". I don't understand that?


if (isset($_POST['login'])) {
		
		$username = $link->real_escape_string($_POST['username']);
		$password = $link->real_escape_string($_POST['password']);

		
		$sql = "SELECT user_username, user_firstname, user_lastname, user_id, user_password, user_role FROM `users` WHERE user_username = '$username' LIMIT 1";
			$result = $link->query($sql);
				if ($result->num_rows == 1){
					$row = $result->fetch_assoc();
					$db_password = $link->real_escape_string($row['user_password']);
					if (password_verify($password, $db_password) && $username == $row['user_username']) {
						
				echo " valid credentials";
				} else {

					echo "invalid credentials";
				}
			}else{
				echo "error";
			}
		}

Open in new window

0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41801784
Because you have changed the first echo, not the second :)
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41801787
What is the first echo for if you will never see it?
0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41801799
Look at the code logic:
get username and password from the input
select data from db where username = input username
if query gives result
                check password
                if ok
                        echo 'Valid credentials'
                else
                       echo 'Invalid credentials'
if query gives no result (the username is wrong)
       echo 'error'

That is if username is wrong you see only the last error message, if the username is right but the password is wrong you'll see only the previous error message.
1
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41801807
Ah, I see. Do you have any suggestions to change it so that I only have 2 conditions instead of the 3?
0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41801830
Not indeed. You can slightly change the code setting a flag this way:
		if (isset($_POST['login'])) {

			$username = $link->real_escape_string($_POST['username']);
			$password = $link->real_escape_string($_POST['password']);

			$error = false;
			$sql = "SELECT user_username, user_firstname, user_lastname, user_id, user_password, user_role FROM `users` WHERE    user_username = '$username' LIMIT 1";
			$result = $link->query($sql);
			if ($result->num_rows == 1) {
				$row = $result->fetch_assoc();
				$db_password = $link->real_escape_string($row['user_password']);
				if (!password_verify($password, $db_password)) {
					$error = true;
				}
			}else{
				$error = true;
			}
			if ($error){
				echo 'Invalid credentials';
			}else{
				echo 'Valid credentials';
			}
		}

Open in new window

but it doesn't change so mutch: you must check username and password separately anyway.
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41801835
I see, not too much different. Okay, at least I understand what is going on now thanks to your great explanation! Thanks again! :)
0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41801866
Glad to help you.
Anyway, I would use the last snippet here: you have never to give too mutch informations about what went wrong with the login process in order to avoid to help bad guys around. Only one text message like 'Invalid credentials' i good enough.
In addition, the last snippet i more near to the correct code for a function: it should just return the variable $error (never echo from within a function) to the calling code which will use the returned value to print a message:
		function process_login_data($link, $username, $password){
			$error = false;
			$sql = "SELECT user_username, user_firstname, user_lastname, user_id, user_password, user_role FROM `users` WHERE    user_username = '$username' LIMIT 1";
			$result = $link->query($sql);
			if ($result->num_rows == 1) {
				$row = $result->fetch_assoc();
				$db_password = $link->real_escape_string($row['user_password']);
				if (!password_verify($password, $db_password)) {
					$error = true;
				}
			}else{
				$error = true;
			}
			return $error;
		}

//calling code
		if (isset($_POST['login'])) {

			$username = $link->real_escape_string($_POST['username']);
			$password = $link->real_escape_string($_POST['password']);

			if (process_login_data($link, $username, $password)){
				echo 'Invalid credentials';
			}else{
				echo 'Valid credentials';
			}
		}

Open in new window

1

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Dump data from mysql to xls php 10 55
php output utf-8 problem 6 51
Convert complicated date to yyyy-mm-dd format 22 50
PHP and accessing Array Elements 3 34
Popularity Can Be Measured Sometimes we deal with questions of popularity, and we need a way to collect opinions from our clients.  This article shows a simple teaching example of how we might elect a favorite color by letting our clients vote for …
Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to count occurrences of each item in an array.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question