Check if username exists and also check if password matches

Question

Hi There Im learning how to use prepared statements. I have figured out how to check of the password and email address match however I wish to have a criteria in the argument check also that the email address is in the system and also the check if the password does not match.

How do I add in 'IF/ELSE' argument to check the email address, then check if the password matches (which it currently does this).

Any help would be appreciated:

$emailAddress = $_POST['emailAddress'];
$password = $_POST['password'];

if ($stmt = $conn->prepare("SELECT `password` FROM `users` WHERE emailAddress=?")) {

    $stmt->bind_param("s", $emailAddress);
    $stmt->execute();

    $stmt->bind_result($result);
    $stmt->fetch();
    $stmt->close();
}


if(password_verify($password, $result)){
    // Login if the email and password matches
    session_start();
    $_SESSION['loggedin'] = true;
    $_SESSION['emailAddress'] = $emailAddress;
    header('Location: ../index.php');
}
else{

    header('Location: ../login.php?error=1');
}

$conn->close();

@u_mulder "I wish to have a criteria in the argument check also that the email address is in the system and also the check if the password does not match." — danjbh, Jun 12 '17 at 19:33
So check if `$result` not empty, then check for password matching. — u_mulder, Jun 12 '17 at 19:36
@Fred-ii- - it's all working fine, I just wanted a way to add in a check to see if the email address matches anything in the database, if not send them back to login.php with an error. — danjbh, Jun 12 '17 at 19:37
Oh I see.. well see one of my answers on this https://stackoverflow.com/a/22253579/1415724 it uses a prepared statement also @danjbh — Funk Forty Niner, Jun 12 '17 at 19:40
@danjbh or you could simply add to your present query, using the `AND` logical operator and bind on those results. — Funk Forty Niner, Jun 12 '17 at 19:42
@Fred-ii- Which is a better method? Adding an `AND` into the query OR using the method provided by u_mulder? — danjbh, Jun 12 '17 at 19:43
@danjbh any which way is fine; I for one would use one query, but that's just me and it avoids more code and function calls. — Funk Forty Niner, Jun 12 '17 at 19:44

score 2 · Accepted Answer · edited Jun 12 '17 at 19:48

Modify you code as:

$emailAddress = $_POST['emailAddress'];
$password = $_POST['password'];

if ($stmt = $conn->prepare("SELECT `password` FROM `users` WHERE emailAddress=?")) {

    $stmt->bind_param("s", $emailAddress);
    $stmt->execute();

    $stmt->bind_result($result);
    $stmt->fetch();

    /** 
     * Another option can be 
     * if ($stmt->fetch()) { 
     */

    if (!empty($result)) {
        // something is found
        if (password_verify($password, $result)){
            // Login if the email and password matches
            session_start();
            $_SESSION['loggedin'] = true;
            $_SESSION['emailAddress'] = $emailAddress;
            header('Location: ../index.php');    // or whatever
            exit;
        } else {
            // No password match
            header('Location: ../login.php?error=1');    // or whatever
            exit;
        }
    } else {
        // No email found
        header('Location: ../login.php?error=2');    // or whatever
        exit;
    }
    $stmt->close();
}

exit's should be added to each header ;-) – Funk Forty Niner Jun 12 '17 at 19:44 — Funk Forty Niner, Jun 12 '17 at 19:44
@Fred-ii- definitely, fixed) – u_mulder Jun 12 '17 at 19:45 — u_mulder, Jun 12 '17 at 19:45
I have opted to use this because I can understand it – danjbh Jun 12 '17 at 19:46 — danjbh, Jun 12 '17 at 19:46

Check if username exists and also check if password matches

1 Answers1