-1

How can I show an error if the user entered an incorrect username or password?

Thanks in advance

if(isset($_POST['submit']))
{
    SignIn();
}
function SignIn()
{
    session_start();   //starting the session for user profile page
    if(!empty($_POST['user']))   //checking the 'user' name which is from Sign-In, is it empty or have some text
    {
        $query = mysql_query ("SELECT * FROM websiteusers WHERE userName = '$_POST[user]' AND pass = '$_POST[pass]'") or die(" db not available" . mysql_error());
        $row = mysql_fetch_array($query) or die(mysql_error());


        if(!empty($row['userName']) and !empty($row['pass']) )
        {
            if ($row['usertype']=="admin")
            {
                session_start ();
                $_SESSION['name'] = $row['fullname'];
                $_SESSION['userID'] = $row['userID'];
                header("location:admin.php");
            }
            elseif ($row['usertype']=='designer')
            {
                session_start ();
                $_SESSION['name'] = $row['fullname'];
                $_SESSION['userID'] = $row['userID'];


                header("location:designer.php");

            }

        }
        else
        {
            echo "SORRY... YOU ENTERD WRONG ID AND PASSWORD... PLEASE RETRY...";
        }
    }
}
Brian North
  • 1,398
  • 1
  • 14
  • 19
Ahsan.okr
  • 5
  • 3
  • Are you getting any error messages when you enter a wrong username - password combination, if yes, what is it? – Vagabond Apr 06 '14 at 03:51
  • No any message is displaying, it jump to a blank page – Ahsan.okr Apr 06 '14 at 04:07
  • Just insert `echo "some text";` inside every if-else{} statement to see where is the control taken to. And don't forget, disable all the header() functions using `//` before running it. Then let me know. – Vagabond Apr 06 '14 at 04:11
  • As per your comments i echo "some text"; in every ifelse{} statement but control again goes to blank page disable all header() by using // – Ahsan.okr Apr 06 '14 at 04:25
  • You need to correct the query given in the mysql_query function; you left the single quotes inside the [ ]. Get a var_dump($_POST) inside the `if(isset($_POST['submit']))` and let me know the output that you get. – Vagabond Apr 06 '14 at 04:37

2 Answers2

0

When user will pass wrong pair of ID and password, mysql_query will return nothing, so mysql_fetch_array will fail too and finally you will trigger the or die(mysql_error()) fragment.

Pass only username to WHERE statement and check only if the password matches given.

0

Benio summed it up. You are checking it in a wrong way. Instead, you could do something like:

//I hope this die() here is only for testing purpose. 
//In a live version available to public, you should use some better way of
//displaying errors such as exception handling
$query = mysql_query ("SELECT * FROM websiteusers WHERE userName = '".mysql_real_escape_string($_POST[user])."' AND pass = '".mysql_real_escape_string($_POST[pass]."'") or die(" db not available" . mysql_error()); 
    if(mysql_num_rows($query)>0){ //this means username and password is found
      //the die() here is not needed, since a match is found, it will fetch it
      $row = mysql_fetch_array($query) or die(mysql_error()); 

        if ($row['usertype']=="admin")
        {
            session_start ();
            $_SESSION['name'] = $row['fullname'];
            $_SESSION['userID'] = $row['userID'];
            header("location:admin.php");
        }
        elseif ($row['usertype']=='designer')
        {
            session_start ();
            $_SESSION['name'] = $row['fullname'];
            $_SESSION['userID'] = $row['userID'];

            header("location:designer.php");

        }

    }
    else //no match for that username and password is found
    {
        echo "SORRY... YOU ENTERD WRONG ID AND PASSWORD... PLEASE RETRY...";
    }
}

Note:

Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO, or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.

Zoe
  • 27,060
  • 21
  • 118
  • 148
AyB
  • 11,609
  • 4
  • 32
  • 47