Solved

Error not displaying if credentials incorrect

Posted on 2016-09-16
12
30 Views
Last Modified: 2016-09-16
I am sure it is something simple but I can't seem to figure out why this is happening. If I put in the correct username and password the message displays. If I put in the incorrect credentials I get a blank page and the error doesn't display. Like I said, it is probably something minor but I can't seem to get it. I tried to see if there was a database error using $link->error; but that didn't produce anything either.

if (isset($_POST['login'])) {
		
		$username = $link->real_escape_string($_POST['username']);
		$password = $link->real_escape_string($_POST['password']);

		
		$sql = "SELECT user_username, user_firstname, user_lastname, user_id, user_password, user_role FROM `users` WHERE    user_username = '$username' LIMIT 1";
			                $result = $link->query($sql);
				        if ($result->num_rows == 1){
					$row = $result->fetch_assoc();
					$db_password = $link->real_escape_string($row['user_password']);
					if (password_verify($password, $db_password)) {
						
				       echo " valid credentials";

					}
					
					else {
						
							echo "error";
						}
				}
	}

Open in new window

0
Comment
Question by:Black Sulfur
  • 7
  • 5
12 Comments
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41801681
The issue is probably in the password_verify() function: please, post here its code.
0
 

Author Comment

by:Black Sulfur
ID: 41801690
I don't have code for it. Isn't it a standard php function?

http://php.net/manual/en/function.password-verify.php
0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41801710
Lol, you're right! I never used it.
Okay, your code is executed only if the query return a result set, so if you type a wrong username the code is not executed and the error message is not executed. You are testing with a wrong username or a wrong password?
0
 
LVL 31

Accepted Solution

by:
Marco Gasi earned 500 total points
ID: 41801716
You can try this:
		if (isset($_POST['login'])) {

			$username = $link->real_escape_string($_POST['username']);
			$password = $link->real_escape_string($_POST['password']);


			$sql = "SELECT user_username, user_firstname, user_lastname, user_id, user_password, user_role FROM `users` WHERE    user_username = '$username' LIMIT 1";
			$result = $link->query($sql);
			if ($result->num_rows == 1) {
				$row = $result->fetch_assoc();
				$db_password = $link->real_escape_string($row['user_password']);
				if (password_verify($password, $db_password)) {

					echo " valid credentials";
				} else {

					echo "error";
				}
			}else{
				echo "error";
			}
		}

Open in new window

0
 

Author Comment

by:Black Sulfur
ID: 41801778
Okay, it is now at least showing "error" with your code.

I am checking username and password because the SQL query is checking if the username POST is equal to any username in the database. If it is, then it needs to check the password against the hashed password. If there is a match with both then do something like take to admin area otherwise display an error message.

So, I just changed the second echo to "invalid credentials" but even if the login is incorrect it still displays "error". So, why does it show "error" and not "invalid credentials". I don't understand that?


if (isset($_POST['login'])) {
		
		$username = $link->real_escape_string($_POST['username']);
		$password = $link->real_escape_string($_POST['password']);

		
		$sql = "SELECT user_username, user_firstname, user_lastname, user_id, user_password, user_role FROM `users` WHERE user_username = '$username' LIMIT 1";
			$result = $link->query($sql);
				if ($result->num_rows == 1){
					$row = $result->fetch_assoc();
					$db_password = $link->real_escape_string($row['user_password']);
					if (password_verify($password, $db_password) && $username == $row['user_username']) {
						
				echo " valid credentials";
				} else {

					echo "invalid credentials";
				}
			}else{
				echo "error";
			}
		}

Open in new window

0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41801784
Because you have changed the first echo, not the second :)
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:Black Sulfur
ID: 41801787
What is the first echo for if you will never see it?
0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41801799
Look at the code logic:
get username and password from the input
select data from db where username = input username
if query gives result
                check password
                if ok
                        echo 'Valid credentials'
                else
                       echo 'Invalid credentials'
if query gives no result (the username is wrong)
       echo 'error'

That is if username is wrong you see only the last error message, if the username is right but the password is wrong you'll see only the previous error message.
1
 

Author Comment

by:Black Sulfur
ID: 41801807
Ah, I see. Do you have any suggestions to change it so that I only have 2 conditions instead of the 3?
0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41801830
Not indeed. You can slightly change the code setting a flag this way:
		if (isset($_POST['login'])) {

			$username = $link->real_escape_string($_POST['username']);
			$password = $link->real_escape_string($_POST['password']);

			$error = false;
			$sql = "SELECT user_username, user_firstname, user_lastname, user_id, user_password, user_role FROM `users` WHERE    user_username = '$username' LIMIT 1";
			$result = $link->query($sql);
			if ($result->num_rows == 1) {
				$row = $result->fetch_assoc();
				$db_password = $link->real_escape_string($row['user_password']);
				if (!password_verify($password, $db_password)) {
					$error = true;
				}
			}else{
				$error = true;
			}
			if ($error){
				echo 'Invalid credentials';
			}else{
				echo 'Valid credentials';
			}
		}

Open in new window

but it doesn't change so mutch: you must check username and password separately anyway.
0
 

Author Comment

by:Black Sulfur
ID: 41801835
I see, not too much different. Okay, at least I understand what is going on now thanks to your great explanation! Thanks again! :)
0
 
LVL 31

Expert Comment

by:Marco Gasi
ID: 41801866
Glad to help you.
Anyway, I would use the last snippet here: you have never to give too mutch informations about what went wrong with the login process in order to avoid to help bad guys around. Only one text message like 'Invalid credentials' i good enough.
In addition, the last snippet i more near to the correct code for a function: it should just return the variable $error (never echo from within a function) to the calling code which will use the returned value to print a message:
		function process_login_data($link, $username, $password){
			$error = false;
			$sql = "SELECT user_username, user_firstname, user_lastname, user_id, user_password, user_role FROM `users` WHERE    user_username = '$username' LIMIT 1";
			$result = $link->query($sql);
			if ($result->num_rows == 1) {
				$row = $result->fetch_assoc();
				$db_password = $link->real_escape_string($row['user_password']);
				if (!password_verify($password, $db_password)) {
					$error = true;
				}
			}else{
				$error = true;
			}
			return $error;
		}

//calling code
		if (isset($_POST['login'])) {

			$username = $link->real_escape_string($_POST['username']);
			$password = $link->real_escape_string($_POST['password']);

			if (process_login_data($link, $username, $password)){
				echo 'Invalid credentials';
			}else{
				echo 'Valid credentials';
			}
		}

Open in new window

1

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
calculated column 12 74
Parts and Products table schema in mysql 6 43
Passing variables to stored procedure 3 34
Php Email function not working with Template 8 38
Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
This article discusses four methods for overlaying images in a container on a web page
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now