How to throw an error for Invalid username or password if the data is not matched with the DB?

Question

I am pretty new with php, I have a MySql Php based backend which connects to a react native application.

I am handling invalid username and password but right username/password with wrong username/password and vice versa is where the app is getting force close (Crashed) as it cannot the entered data are not matching with the one that is in the database.

Can I know how can I achieve this?

Below is my php code for the same.

<?php

include 'DBConfig.php';

$con = mysqli_connect($HostName,$HostUser,$HostPass,$DatabaseName);

$json = file_get_contents('php://input');

$obj = json_decode($json,true);

$email = $obj['email'];

$password = $obj['password'];

$Sql_Query = "select * from UserRegistrationTable where email = '$email' and password = '$password' ";

$check = mysqli_fetch_array(mysqli_query($con,$Sql_Query));


if(isset($check)){

 $SuccessLoginMsg = 'Data Matched';

$SuccessLoginJson = json_encode($SuccessLoginMsg);

echo $SuccessLoginJson ; 

$response=array();
array_push($response,array("name"=>$check[1], "email"=>$check[2], "password"=>$check[3]);

echo json_encode(array("Details"=>$response));     
}

 else{

$InvalidMSG = 'Invalid Username or Password Please Try Again' ;

$InvalidMSGJSon = json_encode($InvalidMSG);

 echo $InvalidMSGJSon ;

 }

 mysqli_close($con);
?>

I highly urge you to look into parameterized queries. Your current statement is vulnerable to a very easy hack call "SQL Injection". See Example 3 at [PHP Manual](http://php.net/manual/en/security.database.sql-injection.php) for what SQL Injection is. See this [stackoverflow post](https://stackoverflow.com/a/60496/6009304) for how to avoid it. — Tyler, May 17 '18 at 04:59
**Never store passwords in clear text!**. Only store password hashes! Use PHP's [`password_hash()`](http://php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://php.net/manual/en/function.password-verify.php) . If you're running a PHP version lower than 5.5 (which I _really_ hope you aren't), you can use the [password_compat library](https://github.com/ircmaxell/password_compat) to get the same functionallity. — M. Eriksson, May 17 '18 at 05:00
@Tyler This is just a demo project which I am using for testing. Will replace this with high level secured connection but as of now, I need to handle the password error. May I know How can I achieve it? — Abhishek D, May 17 '18 at 05:03
@MagnusEriksson This is just a demo project which I am using for testing. Will replace this with high level secured connection but as of now, I need to handle the password error. May I know How can I achieve it? — Abhishek D, May 17 '18 at 05:03
@AbhishekDS Devrah verma's answer is a pretty good option. What he changed was your `isset($check)` to use the `mysqli_num_rows` method. — Tyler, May 17 '18 at 05:06
_"This is just a demo project"_ - There's never a good reason to knowingly write insecure code. Eventually, you will continue on this project or reuse parts. You will then need to remember to basically completely rewrite this code. — M. Eriksson, May 17 '18 at 05:10
Btw, regarding using prepared statements, it doesn't only protect you from attacks, it also helps you to make sure your queries doesn't break. If someone passes a value containing a single quote or ends with a backslash, your query will break. — M. Eriksson, May 17 '18 at 05:12
Can you please let us know what your actual issue is with this code? Also, if you're expecting to get Json back to be used in JS, you need to return an object, not just a single json encoded string, since JS doesn't accept those as proper Json. — M. Eriksson, May 17 '18 at 05:22

score 1 · Accepted Answer · answered May 17 '18 at 04:52

1

Hi i corrected your code kindly check below-

<?php

include 'DBConfig.php';

$con = mysqli_connect($HostName,$HostUser,$HostPass,$DatabaseName);

$json = file_get_contents('php://input');

$obj = json_decode($json,true);

$email = $obj['email'];

$password = $obj['password'];

$Sql_Query = "select * from UserRegistrationTable where email = '$email' and password = '$password' ";

$res = mysqli_query($con,$Sql_Query);


if(mysqli_num_rows($res)> 0){

$check = mysqli_fetch_array($res);
 $SuccessLoginMsg = 'Data Matched';

$SuccessLoginJson = json_encode($SuccessLoginMsg);

echo $SuccessLoginJson ; 

$response=array();
array_push($response,array("name"=>$check[1], "email"=>$check[2], "password"=>$check[3]);

echo json_encode(array("Details"=>$response));     
}

 else{

$InvalidMSG = 'Invalid Username or Password Please Try Again' ;

$InvalidMSGJSon = json_encode($InvalidMSG);

 echo $InvalidMSGJSon ;

 }

 mysqli_close($con);
?>

answered May 17 '18 at 04:52

Devraj verma

407
3
14

3

A good answer includes a proper explanation of what you've changed and why. – M. Eriksson May 17 '18 at 05:02
May I know how this is different from the existing one? – Abhishek D May 17 '18 at 05:03
@MagnusEriksson Hopefully my edit on this question will go through soon. As it adds an explanation about what was changed. – Tyler May 17 '18 at 05:04
This isn't working. The app is crashing if I use wrong password. – Abhishek D May 17 '18 at 05:10
@AbhishekDS How is it crashing? What is being outputted? – Tyler May 17 '18 at 05:13
When I give a correct username with wrong password, it gets crashed – Abhishek D May 17 '18 at 05:13
@Tyler - I rather have an explanation by the user who wrote it, so we know the actual thought behind it. Less confusion if there are any misunderstandings. – M. Eriksson May 17 '18 at 05:14
@MagnusEriksson Good point. Well hopefully the user will help us out there. :) – Tyler May 17 '18 at 05:17
@AbhishekDS Like I said, we need more information than "it crashed". – Tyler May 17 '18 at 05:18
@Tyler, It is working fine and it accepts the inputs that are in the DB (Correct UN and Pass) but when I enter a correct UN and wrong pass, it doesn't accept and makes the app crash because of this issue. So I want to know how to handle the wrong pass scenario particularly when a correct UN is entered. – Abhishek D May 17 '18 at 05:25
1

@Tyler - In all fairness, we need more info than "I am facing difficulties" in the original question as well. We actually don't know what the real issue is at all. For example, if the front end expects to get JSON back, it will complain if it only gets a json encoded string. Also, the "success" part actually outputs _two_ strings, which will also make the response invalid Json. – M. Eriksson May 17 '18 at 05:25
Any help @Tyler – Abhishek D May 17 '18 at 05:49
Any help @MagnusEriksson – Abhishek D May 17 '18 at 05:50
@AbhishekDS You seem to be misunderstanding. There must be some of sort error happening, a good starting place would be with that invalid json that magnus is talking about. – Tyler May 17 '18 at 05:52

How to throw an error for Invalid username or password if the data is not matched with the DB?

1 Answers1