code won't display the error message in the else statement

Question

I have a bit problem with my basic login sample. The error message in the else statement won't display when the username and password combination is incorrect. Is it because of while loop? I need help, please.

<?php

$db = new PDO('mysql:host=127.0.0.1;dbname=project', 'root', '');

if(isset($_POST['username'], $_POST['password'])) {
    $username = $_POST['username'];
    $password = $_POST['password'];
    $result = $db->query("SELECT * FROM users WHERE username='$username' AND password='$password'");

    if(empty($username) || empty($password)) {
        echo 'Empty';
    }

    while($row = $result->fetch(PDO::FETCH_OBJ)) {
        if($username == $row->username && $password == $row->password) {
            echo 'Logged in';
        } else {
            echo 'Incorrect username and password combination';
        }
    }
}

When you found the answer to this question, I'd advice you to read up on [SQL-Injection](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Naruto, Oct 10 '16 at 08:59
_"Won't display"_ As in nothing shows up on your screen or is it displaying the "Logged in" echo instead? — Epodax, Oct 10 '16 at 08:59
@Epodax if it is correct combination, it displays "Logged in". If not, it displays nothing (null) — JTrixx16, Oct 10 '16 at 09:31
If $username or $passwords doesn't match any column, query literally return 0. If you use this 0 in while condition it evaluate it as false and no loop happen. Use if statement instead. — Andrej Buday, Oct 10 '16 at 12:42

Sumon Sarker · Answer 1 · 2016-10-10T09:32:59.207

No need to recheck query result. Because, if query success, then fetch() function will return result row, otherwise return false.

Change below code

while($row = $result->fetch(PDO::FETCH_OBJ)) {
    if($username == $row->username && $password == $row->password) {
        echo 'Logged in';
    } else {
        echo 'Incorrect username and password combination';
    }
}

TO

$row = $result->fetch(PDO::FETCH_OBJ);
if($row){
  echo 'Logged in';
}else{
  echo 'Incorrect username and password combination';
}

Note: username field should be unique column, Because of your login purpose.

Rax Weber · Answer 2 · 2016-10-10T09:10:47.820

1

Of course it won't display. It is because when you fetch your results, it returns no rows, or simply empty. That said, code inside the while loop won't execute.

You might as well perform a query that counts the number of rows returned based on the username and password conditions.

$result = $db->query("SELECT COUNT(*) FROM users WHERE username='$username' AND password='$password'");

if (($row = $result->fetchColumn()) != 0) {
    // logged in
}
else {
    // incorrect username and password
}

edited Oct 10 '16 at 09:10

answered Oct 10 '16 at 09:01

Rax Weber

3,730
19
30

so `fetchColumn()` is better way – JTrixx16 Oct 11 '16 at 07:58
Yes, if you only want to select the number of rows/row count that match your condition. – Rax Weber Oct 11 '16 at 08:01

score 0 · Answer 3 · answered Oct 10 '16 at 09:11

Your select statement only returns values if both username and password are correct. So if it isn't correct, the code in your loop won't execute.

Try removing the password-check from your sql-statement:

"SELECT * FROM users WHERE username='$username';"

code won't display the error message in the else statement

3 Answers3