1

I am attempting to build a password-protected area on my site. However, in my if statement, I'm having trouble determining if the array is empty or not. When the code is run, regardless of what is put into the user/pass fields, it's always testing as true. For reference, the database being accessed only has 1 row, containing 1 user/pass combo. 

function verify(){

  $dbhost = "host";
  $dbname = "db";
  $dbuser = "user";
  $dbpass = "password";


  if (isset($_SESSION['valid_user']))return true;

  $user_name = $_POST["user_name"]; 
  $password = $_POST["password"];

  if ($user_name && $password){ 

    try{ 
      $conn = new PDO("mysql:host=$dbhost;dbname=$dbname",$dbuser,$dbpass);
    }
    catch(PDOException $pe){
      die('Connection error, because: ' .$pe->getMessage());
    }

    $sql = "SELECT user_name FROM users WHERE user_name = ':user_name' AND password = ':password'";     

    $q = $conn->prepare($sql);

    if(!$q){
      die("Execute query error, because: ". $conn->errorInfo());
    }; 

    $q->execute(array(':user_name'=>$user_name, ':password'=>$password));  

    $result = $q->fetchALL();

    if ($result['user_name']=$user_name){ 
      $valid_user = $user_name;
      $_SESSION['valid_user'] = $valid_user;
      return true;
    }
    else{  
      $text = "User Name and Password did not match";
      write_log_in($text);
    }
  }
  else {  
    $text = "This is a secure server. Please log in.";
    write_log_in($text);
  }
}

As a side note, I'm aware that my passwords should be stored in at least an MD5 hash format or something similar. I just wanted to get it working at all before adding in more stuff.

Jamal
  • 763
  • 7
  • 22
  • 32
Ryan
  • 127
  • 1
  • 12
  • `if ($result['user_name']=$user_name){ ` should be `if ($result['user_name']==$user_name){ ` - you're mixing up assignment and comparison operators. – andrewsi Apr 18 '13 at 17:34
  • for info, you can check if a variable is an array with is_array($var) - http://php.net/manual/en/function.is-array.php – RafH Apr 18 '13 at 17:38
  • @andrewsi Thanks for the response, got it fixed now. --RafH Thanks, will read up on that. – Ryan Apr 18 '13 at 17:52

4 Answers4

2

This is your problem

if ($result['user_name']=$user_name){

it should be 

if ($result['user_name']==$user_name){

But why you don't check if you have a result to determine if the user is correct. Because you pass the user in your SQL query.

TheEwook
  • 11,037
  • 6
  • 36
  • 55
  • Thanks for the response. I think what you suggested was what I initially tried. But I was not sure how to check whether the query found results or not. – Ryan Apr 18 '13 at 17:49
1

Missing an equal sign:

if ($result['user_name'] == $user_name){ 
// ----------------------^
SeanWM
  • 16,789
  • 7
  • 51
  • 83
1

$result['user_name']=$user_name should be $result['user_name'] === $user_name.

Also, don't use MD5. Hash the passwords with a slow hashing function like hash_pbkdf2, which is expensive to attack.

Blender
  • 289,723
  • 53
  • 439
  • 496
-1

You could go with : if (mysql_num_rows($result)==0) because if there is no reslut, the user with the entered passwd is incorrect

nicomaquemtl
  • 9
  • 2
  • He's not using mysql_*, though - it's using PDO. – andrewsi Apr 18 '13 at 17:53
  • I was able to find some alternatives using PDO to do the same thing which may prove useful. [link](http://stackoverflow.com/questions/11305230/alternative-for-mysql-num-rows-using-pdo) – Ryan Apr 18 '13 at 18:11