Solved

Error not displaying if credentials incorrect

Posted on 2016-09-16
12
38 Views
Last Modified: 2016-09-16
I am sure it is something simple but I can't seem to figure out why this is happening. If I put in the correct username and password the message displays. If I put in the incorrect credentials I get a blank page and the error doesn't display. Like I said, it is probably something minor but I can't seem to get it. I tried to see if there was a database error using $link->error; but that didn't produce anything either.

if (isset($_POST['login'])) {
		
		$username = $link->real_escape_string($_POST['username']);
		$password = $link->real_escape_string($_POST['password']);

		
		$sql = "SELECT user_username, user_firstname, user_lastname, user_id, user_password, user_role FROM `users` WHERE    user_username = '$username' LIMIT 1";
			                $result = $link->query($sql);
				        if ($result->num_rows == 1){
					$row = $result->fetch_assoc();
					$db_password = $link->real_escape_string($row['user_password']);
					if (password_verify($password, $db_password)) {
						
				       echo " valid credentials";

					}
					
					else {
						
							echo "error";
						}
				}
	}

Open in new window

0
Comment
Question by:Black Sulfur
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
12 Comments
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41801681
The issue is probably in the password_verify() function: please, post here its code.
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41801690
I don't have code for it. Isn't it a standard php function?

http://php.net/manual/en/function.password-verify.php
0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41801710
Lol, you're right! I never used it.
Okay, your code is executed only if the query return a result set, so if you type a wrong username the code is not executed and the error message is not executed. You are testing with a wrong username or a wrong password?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 31

Accepted Solution

by:
Marco Gasi earned 500 total points
ID: 41801716
You can try this:
		if (isset($_POST['login'])) {

			$username = $link->real_escape_string($_POST['username']);
			$password = $link->real_escape_string($_POST['password']);


			$sql = "SELECT user_username, user_firstname, user_lastname, user_id, user_password, user_role FROM `users` WHERE    user_username = '$username' LIMIT 1";
			$result = $link->query($sql);
			if ($result->num_rows == 1) {
				$row = $result->fetch_assoc();
				$db_password = $link->real_escape_string($row['user_password']);
				if (password_verify($password, $db_password)) {

					echo " valid credentials";
				} else {

					echo "error";
				}
			}else{
				echo "error";
			}
		}

Open in new window

0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41801778
Okay, it is now at least showing "error" with your code.

I am checking username and password because the SQL query is checking if the username POST is equal to any username in the database. If it is, then it needs to check the password against the hashed password. If there is a match with both then do something like take to admin area otherwise display an error message.

So, I just changed the second echo to "invalid credentials" but even if the login is incorrect it still displays "error". So, why does it show "error" and not "invalid credentials". I don't understand that?


if (isset($_POST['login'])) {
		
		$username = $link->real_escape_string($_POST['username']);
		$password = $link->real_escape_string($_POST['password']);

		
		$sql = "SELECT user_username, user_firstname, user_lastname, user_id, user_password, user_role FROM `users` WHERE user_username = '$username' LIMIT 1";
			$result = $link->query($sql);
				if ($result->num_rows == 1){
					$row = $result->fetch_assoc();
					$db_password = $link->real_escape_string($row['user_password']);
					if (password_verify($password, $db_password) && $username == $row['user_username']) {
						
				echo " valid credentials";
				} else {

					echo "invalid credentials";
				}
			}else{
				echo "error";
			}
		}

Open in new window

0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41801784
Because you have changed the first echo, not the second :)
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41801787
What is the first echo for if you will never see it?
0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41801799
Look at the code logic:
get username and password from the input
select data from db where username = input username
if query gives result
                check password
                if ok
                        echo 'Valid credentials'
                else
                       echo 'Invalid credentials'
if query gives no result (the username is wrong)
       echo 'error'

That is if username is wrong you see only the last error message, if the username is right but the password is wrong you'll see only the previous error message.
1
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41801807
Ah, I see. Do you have any suggestions to change it so that I only have 2 conditions instead of the 3?
0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41801830
Not indeed. You can slightly change the code setting a flag this way:
		if (isset($_POST['login'])) {

			$username = $link->real_escape_string($_POST['username']);
			$password = $link->real_escape_string($_POST['password']);

			$error = false;
			$sql = "SELECT user_username, user_firstname, user_lastname, user_id, user_password, user_role FROM `users` WHERE    user_username = '$username' LIMIT 1";
			$result = $link->query($sql);
			if ($result->num_rows == 1) {
				$row = $result->fetch_assoc();
				$db_password = $link->real_escape_string($row['user_password']);
				if (!password_verify($password, $db_password)) {
					$error = true;
				}
			}else{
				$error = true;
			}
			if ($error){
				echo 'Invalid credentials';
			}else{
				echo 'Valid credentials';
			}
		}

Open in new window

but it doesn't change so mutch: you must check username and password separately anyway.
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41801835
I see, not too much different. Okay, at least I understand what is going on now thanks to your great explanation! Thanks again! :)
0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41801866
Glad to help you.
Anyway, I would use the last snippet here: you have never to give too mutch informations about what went wrong with the login process in order to avoid to help bad guys around. Only one text message like 'Invalid credentials' i good enough.
In addition, the last snippet i more near to the correct code for a function: it should just return the variable $error (never echo from within a function) to the calling code which will use the returned value to print a message:
		function process_login_data($link, $username, $password){
			$error = false;
			$sql = "SELECT user_username, user_firstname, user_lastname, user_id, user_password, user_role FROM `users` WHERE    user_username = '$username' LIMIT 1";
			$result = $link->query($sql);
			if ($result->num_rows == 1) {
				$row = $result->fetch_assoc();
				$db_password = $link->real_escape_string($row['user_password']);
				if (!password_verify($password, $db_password)) {
					$error = true;
				}
			}else{
				$error = true;
			}
			return $error;
		}

//calling code
		if (isset($_POST['login'])) {

			$username = $link->real_escape_string($_POST['username']);
			$password = $link->real_escape_string($_POST['password']);

			if (process_login_data($link, $username, $password)){
				echo 'Invalid credentials';
			}else{
				echo 'Valid credentials';
			}
		}

Open in new window

1

Featured Post

MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Things That Drive Us Nuts Have you noticed the use of the reCaptcha feature at EE and other web sites?  It wants you to read and retype something that looks like this. Insanity!  It's not EE's fault - that's just the way reCaptcha works.  But it i…
This article discusses how to implement server side field validation and display customized error messages to the client.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to dynamically set the form action using jQuery.

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question