one database works and second doesnt

Question

I have a database and in it i have 4 tables, 2 for the private user and 2 for the business user. for some reason when I try to log in using the email of the business user it doesnt work but the username works, and in the private tables it works, here's my code if i didnt explain it properly tell me and ill try my best to explain it again

    $password = $_POST['password'];
    $emailuser = $_POST['unameemail'];
    $password = mysqli_real_escape_string($sql , $password); 
    $emailuser = mysqli_real_escape_string($sql , $emailuser); 
    $pwcheck = "
    SELECT * FROM private AS p 
    INNER JOIN user_private_data 
    AS c ON p.id = c.id 
    WHERE username='$emailuser' OR email='$emailuser'"; // part that works fine 
    $resultcheck = mysqli_query($sql , $pwcheck); // part that works fine 
    $rowcheck = mysqli_fetch_array($resultcheck , MYSQLI_ASSOC); // part that works fine 
    $hash = $rowcheck['password']; // part that works fine 
    $hash_pwd = password_verify($password , $hash);
    if ($hash_pwd != 0) {
        $_SESSION['username'] = $rowcheck['username']; // part that works fine  
        $_SESSION['logged'] = true; // part that works fine 
        header("refresh:0;url=../blablabla.php");     // part that works fine                   
    } else {
        $privateuser = "
        SELECT * FROM business AS d 
        INNER JOIN user_business_data 
        AS j ON d.id = j.id 
        WHERE username='$emailuser' OR email='$emailuser'"; // doesn't work
        $resultprivate = mysqli_query($sql , $privateuser); // doesn't work
            $rowprivate = mysqli_fetch_array($resultprivate , MYSQLI_ASSOC);
        $hashprivate = $rowprivate['password'];
        $hash_private = password_verify($password , $hashprivate);
        if ($hash_private != 0) {

            $_SESSION['username'] = $rowprivate['username'];
            $_SESSION['logged'] = true;
            $_SESSION['business'] = $rowprivate['bname'];
            $_SESSION['type'] = 'business';
}

please sanitize your input values before parsing into your query. this script is very well vulnerable to SQL injection. — Rotimi, Feb 07 '17 at 14:40
Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) — RiggsFolly, Feb 07 '17 at 14:40
"does not work" is not enough. what error do you get when you get to mysqli_query for the business user? — Rotimi, Feb 07 '17 at 14:42
in the registration page I already have prepared statesments and MYSQLI — moran, Feb 07 '17 at 14:42
I'm guessing that the missing `}` in the end is just a copy/paste-mistake? — M. Eriksson, Feb 07 '17 at 14:43
Add `ini_set('display_errors', 1); ini_set('log_errors',1); error_reporting(E_ALL); mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);` to the top of your script. This will force any `mysqli_` errors to generate an Exception that you cannot miss or ignore. — RiggsFolly, Feb 07 '17 at 14:44
run the query on your phpmyadmin and verify you actually get a result — Rotimi, Feb 07 '17 at 14:46
A heads up. You might want to check if you actually got any result before trying to use: `$rowcheck['password']` and `$rowprivate['password']`. It helps from making your error log eating all the disk space. — M. Eriksson, Feb 07 '17 at 14:47
@MagnusEriksson Do you mean something like that? `if (mysqli_num_rows($resultcheck) > 0) { $hash = $rowcheck['password']; $hash_pwd = password_verify($password , $hash); }` — moran, Feb 07 '17 at 14:50
you need to check if there is actully a result before attempting to fetch anything. use num_rows. if there is isn't, handle the error accordingly — Rotimi, Feb 07 '17 at 14:51
If you've found a solution, please do go ahead and post it as an answer here. It might just be useful for someone regardless of how trivial the error was. — Dhruv Saxena, Feb 08 '17 at 16:40

score 0 · Answer 1 · answered Feb 07 '17 at 14:55

try this: you need to check if the query actually has a result before fetching i assume the variable $sql is defined in your connection

<?php

$password = $_POST['password'];
$emailuser = $_POST['unameemail'];
$password = mysqli_real_escape_string($sql, $password);
$emailuser = mysqli_real_escape_string($sql, $emailuser);
$pwcheck = "
            SELECT * FROM private AS p 
            INNER JOIN user_private_data 
            AS c ON p.id = c.id 
            WHERE username='$emailuser' OR email='$emailuser'"; // part that works fine 
$resultcheck = mysqli_query($sql, $pwcheck); // part that works fine 
$rowcheck = mysqli_fetch_array($resultcheck, MYSQLI_ASSOC); // part that works fine 
$hash = $rowcheck['password']; // part that works fine 
$hash_pwd = password_verify($password, $hash);
if ($hash_pwd != 0) {
    $_SESSION['username'] = $rowcheck['username']; // part that works fine  
    $_SESSION['logged'] = true; // part that works fine 
    header("refresh:0;url=../blablabla.php");     // part that works fine                   
} else {
    $privateuser = "
                SELECT * FROM business AS d 
                INNER JOIN user_business_data 
                AS j ON d.id = j.id 
                WHERE username='$emailuser' OR email='$emailuser'"; // doesn't work
    $resultprivate = mysqli_query($sql, $privateuser); // doesn't work
    if ($resultprivate->num_rows > 0) {
        $rowprivate = mysqli_fetch_array($resultprivate, MYSQLI_ASSOC);
        $hashprivate = $rowprivate['password'];
        $hash_private = password_verify($password, $hashprivate);
        if ($hash_private != 0) {

            $_SESSION['username'] = $rowprivate['username'];
            $_SESSION['logged'] = true;
            $_SESSION['business'] = $rowprivate['bname'];
            $_SESSION['type'] = 'business';
        } else {
            //no record
        }
    }
?>

one database works and second doesnt

1 Answers1