Why is this PHP-code incorrect?

Question

This is the code which shows the errors that have to be showed in my log in-system:

<?php

include 'session.php';

if (empty($_POST) === false) {
    $username = $_POST['username'];
    $password = $_POST['password'];

    if (empty($username) === true || empty($password) === true) {
        $errors[] = 'Please enter a username and password.';
    } else if (user_exists($username) === false) {
        $errors[] = 'The username or password is incorrect.';
    }
    print_r($errors);
}

?>

And this is the code that performs the query on the database, the function 'user_exists' which I used in the code above.

<?php

function user_exists($username) {
    $username = sanitize($username);
    return (mysql_result(mysql_query("SELECT COUNT(customerNumber) FROM customers WHERE username = '$username'"), 0) == 1) ? true : false;
}

?>

So when the username/password-combination is wrong, login.php should obviously say 'The username or password is incorrect.'. However, when I try to log in with the correct username and password (from my database), it also says 'The username or password is incorrect.'. So what is wrong with this code?

You aren't even checking the password against the records, although that isn't the cause of this problem. — Flosculus, Apr 28 '15 at 15:47
Please, [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement) instead, and use [PDO](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Apr 28 '15 at 16:06

A l w a y s S u n n y · Accepted Answer · 2015-04-28T16:54:12.393

3

If i understand your problem correctly,this line makes you the real problem, it always returns false from here because your customer count on row 0 is not equal to 1, so every time it returns false.

return (mysql_result(mysql_query("
        SELECT COUNT(customerNumber) FROM customers WHERE 
        username = '$username'"), 0) == 1) ? true : false;

From PHP Manual User Notes

mysql_result() will throw E_WARNING if mysql_query returns 0 rows. This is unlike any of the mysql_fetch_* functions so be careful of this if you have E_WARNING turned on in error_reporting(). You might want to check mysql_num_rows() before calling mysql_result()

As Per Comment:

 function user_exists($username) {
    $username = sanitize($username);
    $result=mysql_result(mysql_query("SELECT COUNT(customerNumber) FROM customers WHERE username = '$username'"), 0);
    print $result; //see what it returns
    die();  //remove this line after your debugging.
    return ($result == 1) ? true : false;
}

edited Apr 28 '15 at 16:54

answered Apr 28 '15 at 16:00

A l w a y s S u n n y

36,497
8
60
103

Okay, and what do I have to do to solve this? I don't really understand that part. – Jesper Provoost Apr 28 '15 at 16:28
1

@JesperProvoost , try to print it first `mysql_result(mysql_query("SELECT COUNT(customerNumber) FROM customers WHERE username = '$username'"), 0)`, check is it realy equal to `1`? – A l w a y s S u n n y Apr 28 '15 at 16:30
Okay, I get it, but I'm so confused now. How do I print it? – Jesper Provoost Apr 28 '15 at 16:47
@JesperProvoost, hey try my commented code if you are confused how to print & remove `die()` after debugging process. Best of luck. – A l w a y s S u n n y Apr 28 '15 at 16:55
Thanks for the code! Sadly, the page becomes completely blank so I see nothing. When I remove 'die();', it gives me the same problem as first, it just shows 'The username or password is incorrect'. – Jesper Provoost Apr 28 '15 at 17:00

Why is this PHP-code incorrect?

1 Answers1