[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Error not displaying if credentials incorrect

Posted on 2016-09-16
12
Medium Priority
?
45 Views
Last Modified: 2016-09-16
I am sure it is something simple but I can't seem to figure out why this is happening. If I put in the correct username and password the message displays. If I put in the incorrect credentials I get a blank page and the error doesn't display. Like I said, it is probably something minor but I can't seem to get it. I tried to see if there was a database error using $link->error; but that didn't produce anything either.

if (isset($_POST['login'])) {
		
		$username = $link->real_escape_string($_POST['username']);
		$password = $link->real_escape_string($_POST['password']);

		
		$sql = "SELECT user_username, user_firstname, user_lastname, user_id, user_password, user_role FROM `users` WHERE    user_username = '$username' LIMIT 1";
			                $result = $link->query($sql);
				        if ($result->num_rows == 1){
					$row = $result->fetch_assoc();
					$db_password = $link->real_escape_string($row['user_password']);
					if (password_verify($password, $db_password)) {
						
				       echo " valid credentials";

					}
					
					else {
						
							echo "error";
						}
				}
	}

Open in new window

0
Comment
Question by:Black Sulfur
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
12 Comments
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41801681
The issue is probably in the password_verify() function: please, post here its code.
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41801690
I don't have code for it. Isn't it a standard php function?

http://php.net/manual/en/function.password-verify.php
0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41801710
Lol, you're right! I never used it.
Okay, your code is executed only if the query return a result set, so if you type a wrong username the code is not executed and the error message is not executed. You are testing with a wrong username or a wrong password?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 31

Accepted Solution

by:
Marco Gasi earned 2000 total points
ID: 41801716
You can try this:
		if (isset($_POST['login'])) {

			$username = $link->real_escape_string($_POST['username']);
			$password = $link->real_escape_string($_POST['password']);


			$sql = "SELECT user_username, user_firstname, user_lastname, user_id, user_password, user_role FROM `users` WHERE    user_username = '$username' LIMIT 1";
			$result = $link->query($sql);
			if ($result->num_rows == 1) {
				$row = $result->fetch_assoc();
				$db_password = $link->real_escape_string($row['user_password']);
				if (password_verify($password, $db_password)) {

					echo " valid credentials";
				} else {

					echo "error";
				}
			}else{
				echo "error";
			}
		}

Open in new window

0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41801778
Okay, it is now at least showing "error" with your code.

I am checking username and password because the SQL query is checking if the username POST is equal to any username in the database. If it is, then it needs to check the password against the hashed password. If there is a match with both then do something like take to admin area otherwise display an error message.

So, I just changed the second echo to "invalid credentials" but even if the login is incorrect it still displays "error". So, why does it show "error" and not "invalid credentials". I don't understand that?


if (isset($_POST['login'])) {
		
		$username = $link->real_escape_string($_POST['username']);
		$password = $link->real_escape_string($_POST['password']);

		
		$sql = "SELECT user_username, user_firstname, user_lastname, user_id, user_password, user_role FROM `users` WHERE user_username = '$username' LIMIT 1";
			$result = $link->query($sql);
				if ($result->num_rows == 1){
					$row = $result->fetch_assoc();
					$db_password = $link->real_escape_string($row['user_password']);
					if (password_verify($password, $db_password) && $username == $row['user_username']) {
						
				echo " valid credentials";
				} else {

					echo "invalid credentials";
				}
			}else{
				echo "error";
			}
		}

Open in new window

0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41801784
Because you have changed the first echo, not the second :)
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41801787
What is the first echo for if you will never see it?
0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41801799
Look at the code logic:
get username and password from the input
select data from db where username = input username
if query gives result
                check password
                if ok
                        echo 'Valid credentials'
                else
                       echo 'Invalid credentials'
if query gives no result (the username is wrong)
       echo 'error'

That is if username is wrong you see only the last error message, if the username is right but the password is wrong you'll see only the previous error message.
1
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41801807
Ah, I see. Do you have any suggestions to change it so that I only have 2 conditions instead of the 3?
0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41801830
Not indeed. You can slightly change the code setting a flag this way:
		if (isset($_POST['login'])) {

			$username = $link->real_escape_string($_POST['username']);
			$password = $link->real_escape_string($_POST['password']);

			$error = false;
			$sql = "SELECT user_username, user_firstname, user_lastname, user_id, user_password, user_role FROM `users` WHERE    user_username = '$username' LIMIT 1";
			$result = $link->query($sql);
			if ($result->num_rows == 1) {
				$row = $result->fetch_assoc();
				$db_password = $link->real_escape_string($row['user_password']);
				if (!password_verify($password, $db_password)) {
					$error = true;
				}
			}else{
				$error = true;
			}
			if ($error){
				echo 'Invalid credentials';
			}else{
				echo 'Valid credentials';
			}
		}

Open in new window

but it doesn't change so mutch: you must check username and password separately anyway.
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41801835
I see, not too much different. Okay, at least I understand what is going on now thanks to your great explanation! Thanks again! :)
0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41801866
Glad to help you.
Anyway, I would use the last snippet here: you have never to give too mutch informations about what went wrong with the login process in order to avoid to help bad guys around. Only one text message like 'Invalid credentials' i good enough.
In addition, the last snippet i more near to the correct code for a function: it should just return the variable $error (never echo from within a function) to the calling code which will use the returned value to print a message:
		function process_login_data($link, $username, $password){
			$error = false;
			$sql = "SELECT user_username, user_firstname, user_lastname, user_id, user_password, user_role FROM `users` WHERE    user_username = '$username' LIMIT 1";
			$result = $link->query($sql);
			if ($result->num_rows == 1) {
				$row = $result->fetch_assoc();
				$db_password = $link->real_escape_string($row['user_password']);
				if (!password_verify($password, $db_password)) {
					$error = true;
				}
			}else{
				$error = true;
			}
			return $error;
		}

//calling code
		if (isset($_POST['login'])) {

			$username = $link->real_escape_string($_POST['username']);
			$password = $link->real_escape_string($_POST['password']);

			if (process_login_data($link, $username, $password)){
				echo 'Invalid credentials';
			}else{
				echo 'Valid credentials';
			}
		}

Open in new window

1

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
There are times when I have encountered the need to decompress a response from a PHP request. This is how it's done, but you must have control of the request and you can set the Accept-Encoding header.
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question