User Authentication using mysqli_fetch_assoc() function

Question

i've been trying to authenticate user input using the mysqli_fetch_assoc function, though it works i.e redirects user to the home page when the username and password is correct, but it doesn't display the error message(s) when the inputs are incorrect however it displays the username error message when the username is incorrect case wise. pls how do i fix it? here is the code

$username  = $password =  "";
$username_err = $password_err  = "";
//testing input values
if ($_SERVER["REQUEST_METHOD"] == "POST") {
    //processing username input
    if (empty($_POST['username'])) {
        $username_err = " *username is required!";      
    }else{                              //if field is not empty
        $username = test_input($_POST['username']);
    }

    //processing password input
    if (empty($_POST['password'])) {
        $password_err = " *password is required!";
    }elseif (strlen($_POST['password']) < 8) {
        $password_err = " *password must not be less than 8 characters!";
    }else{                          //if field is not empty
        $password = md5($_POST['password']);
    }

    //comparing user input with stored details
    $sql = "SELECT * FROM users_log WHERE Username = '$username' AND Password = '$password'";
    $result = mysqli_query($dbconn, $sql);
    $row = mysqli_fetch_assoc($result);

    if ($row) {
        if ($row['Username'] != $username ) {
            $username_err = "Incorrect Username";
        }elseif ($row['Password'] != $password ) {
            $password_err = "Incorrect Password";
        }else{
            header("location:../home/homeIndex.php");
        }
    }

}

function test_input($input){
    $input = trim($input);
    $input = stripslashes($input);
    $input = htmlspecialchars($input);
    return $input;
}

the html output

<span><?php echo "$username_err<br>"; ?></span>
        <input type="text" name="username"  class="form-control" placeholder="Username" size="30">
        </div><br>


            <?php echo "$password_err<br>"; ?></span>
        <input type="password" name="password"  class="form-control" placeholder="Password" size="30" >
        </div><br>

**Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, Apr 13 '18 at 10:57
**Danger**: You are using [an unsuitable hashing algorithm](http://php.net/manual/en/faq.passwords.php) and need to [take better care](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) of your users' passwords. — Quentin, Apr 13 '18 at 10:57
[The HTML5 placeholder attribute is not a substitute for the label element](http://www.456bereastreet.com/archive/201204/the_html5_placeholder_attribute_is_not_a_substitute_for_the_label_element/) — Quentin, Apr 13 '18 at 10:57
thank you very much for the advice., i'm definitely going to research on that. but for now i just want to get the system working after which i'll progress to error handling and security — henrie, Apr 13 '18 at 11:19

score 1 · Accepted Answer · answered Apr 13 '18 at 10:53

1

if ($row) {
        if ($row['Username'] != $username ) {
            $username_err = "Incorrect Username";
        }elseif ($row['Password'] != $password ) {
            $password_err = "Incorrect Password";
        }else{
            header("location:../home/homeIndex.php");
        }
    }

data inside the $row will execute when condition is true. So use if condition like this,

if ($row) {

            header("location:../home/homeIndex.php");

}else{

               $username_err = "Incorrect Username Or Password";

}

Hope this will resolve your issue

answered Apr 13 '18 at 10:53

Kamran Sohail

602
7
13

Was typing the answer at the same time and you win to race – Kamran Sohail Apr 13 '18 at 10:58
@henrie happy to know :) – Kamran Sohail Apr 13 '18 at 11:19

score 0 · Answer 2 · answered Apr 13 '18 at 10:51

You are wrapping the incorrect username conditions inside if($row) , this is not going to work as inside query , you are checking for username and password both , but incase any of these is wrong , query is going to return 0 results so that means if($row) is negative and anything inside it will not work ... try below :

if ($row) {
        header("location:../home/homeIndex.php");
} else {
        $error = "Incorrect Username or password";

}

Why this and $error = "incorrect username or password , it's cause you are not actually checking username and password individually to say , if username is incorrect or password is incorrect. you are checking them both together which makes if($row) not to work as you want , so you better try above one.

thank you very much, but does this mean i can't authentic the inputs individually? — henrie, Apr 13 '18 at 11:21
@henrie not really, what you can do is , to create query for checking username , if there is username , then proceed to check username and password both , if no username is present in database , then you can show error for username , if it's present , then you check for both together , if both together return invalid , then it's password wrong, — Arsh Singh, Apr 13 '18 at 11:29

score 0 · Answer 3 · answered Apr 13 '18 at 10:52

0

If Username or password are incorrect the $result must be empty. Check if !empty($result).

answered Apr 13 '18 at 10:52

lexcasa

3
3

User Authentication using mysqli_fetch_assoc() function

3 Answers3