Form logs in even with incorrect information entered?

Question

First, I just wanna say thanks for the help! I've just joined this site and a lot of you guys have been very helpful and patient! (:

So, my problem is with the log in form. It allows me to log in even though the wrong information is entered. I'm new to pdo and I've just converted all my Mysql functions to pdo so I'm positive I went wrong somewhere.

Here is my log in script:

<?php
//Login script
if (isset ($_POST["user_login"]) && isset($_POST["password_login"])) {
$user_login = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["user_login"]); //filter everything but numbers and letters
$password_login = preg_replace('^A-Za-z0-9)#i','', $_POST["password_login"]); //filter everything but numbers and letters
$password_login=md5($password_login);
$db = new PDO('mysql:host=localhost;dbname=socialnetwork', 'root', 'password');
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "SELECT id FROM users WHERE username = '$user_login' AND password = '$password_login' LIMIT 1";
$db->prepare($sql);
if ($db->execute(array(
'$user_login' => $user_login,
'$password_login' => $password_login))); {
    if ($sql->rowCount() > 1){
        while($row = $sql->fetch($sql)){
            $id = $row["id"];
        }
        $_SESSION["id"] = $id;
        $_SESSION["user_login"] = $user_login;
        $_SESSION["password_login"] = $password_login;
        exit("<meta http-equiv=\"refresh\" content=\"0\">");
    } else {
        echo 'Either the password or username you have entered is incorrect. Please check them and try again!';
        exit();
    }
 }
 }
?>

and here is the form :

<form action="home.php" method="post">
            <center><input type ="text" size="25" name="User_login" id="user_login" placeholder="username"/>
            <input type ="password" size="25" name="user_password" id="user_password" placeholder="password"/><br />
            <input type ="submit" name="button" id="button" value="login to your account!"/></center>
            </form>

Any ideas on how to fix this?

You should pass the variables in $sql correct, when you use a variable in a string with double quotes, the values will be inserted not the string $varname itself. — Martin Lantzsch, Jun 25 '13 at 20:21
Well, I was directed here: http://us3.php.net/manual/en/book.pdo.php and so I've been trying to learn it but it's very confusing. — user2517092, Jun 25 '13 at 20:21
The difference I see between your code and [the documentation](http://php.net/manual/en/pdo.prepared-statements.php) is that `$db->prepare( ... )` returns a stmt-object. In all examples the stmt-object is executed, rather than the $db-variable. I am however not sure if that makes any difference. The examples use `?` as a placeholder too and use an array `Array( 'value 1', 'value 2' )` instead of a named array. Not sure if that makes any difference either. — Sumurai8, Jun 25 '13 at 20:37

score 0 · Answer 1 · answered Jun 25 '13 at 20:40

0

if ($sql->rowCount() > 1){

That code is invalid, as $sql is a string. I think you should have a $stmt = $db->prepare( ... ); statement, then have $stmt->rowCount instead (but I am not 100% sure).

answered Jun 25 '13 at 20:40

Sumurai8

20,333
11
66
100

score -1 · Answer 2 · answered Jun 25 '13 at 20:25

PDO Prepared statements will look like (for example):

<?php
$stmt = $pdo->prepare("SELECT * FROM users WHERE username = :username AND password = :password");
$stmt->bindValue(":username", $_POST['username']);
$stmt->bindValue(":password", md5($_POST['password']));
$stmt->execute();
$result = $stmt->fetchAssoc();

var_dump($result);
?>

What you have is not a prepared statement. See if this helps...

<?php
//Login script
if (isset ($_POST["user_login"]) && isset($_POST["password_login"])) {
$user_login = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["user_login"]); //filter everything but numbers and letters
$password_login = preg_replace('^A-Za-z0-9)#i','', $_POST["password_login"]); //filter everything but numbers and letters
$password_login=md5($password_login);
$db = new PDO('mysql:host=localhost;dbname=socialnetwork', 'root', 'password');
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

try {
  $user_id = false;
  $stmt = $db->prepare("SELECT id FROM users WHERE username = :user_login AND password = :password_login LIMIT 1");
  $stmt->bindValue(':user_login', $user_login);
  $stmt->bindValue(':password_login', $password_login);
  $stmt->bindColumn('id', $user_id);
  $stmt->execute();
  $row = $stmt->fetchAssoc();
  if($user_id){
    $_SESSION["id"] = $user_id;
    $_SESSION["user_login"] = $user_login;
    $_SESSION["password_login"] = $password_login;
    echo '<meta http-equiv="refresh" content="0">'; // see below
    // exit("<meta http-equiv=\"refresh\" content=\"0\">"); // this is WRONG!
  } else {
    echo 'Either the password or username you have entered is incorrect. Please check them and try again!';
    exit();
  }
} catch(PDOException $e) {
  die("PDO Exception: {$e->getMessage()}");
} catch(Exception $e) {
  die("Exception: {$e->getMessage()}");
}
?>

See the difference between your prepared statement and mine? Yours is more of a compiled query and not a prepared statement (even though you're using the prepare method).

According to [the docs](http://php.net/manual/en/pdo.prepared-statements.php) what he does is not totally wrong (except that he executes on $db instead of an $stmt object). — Sumurai8, Jun 25 '13 at 20:32
It may not be wrong, but it would be like killing an ant with a .50 cal! It's overkill to make a prepared statement just to run a simple query. — Rob W, Jun 25 '13 at 20:33
:( Why should I have to handle his errors? This is for example only! — Rob W, Jun 25 '13 at 20:35
I do see the difference! Thanks. I've tried the code above but unfortunately I get an error message. Do you know where any simplified tutorials are for PDO? — user2517092, Jun 25 '13 at 20:37
http://stackoverflow.com/questions/1943069/are-there-good-tutorials-on-how-to-use-pdo few links here. — Rob W, Jun 25 '13 at 20:42

Form logs in even with incorrect information entered?

2 Answers2