Else statement is not applying

Question

Why does the last else statement in my PHP code is not working? When I entered non-existing accounts, it is not displaying the "Incorrect email or password" error message.

<?php

include("connection.php");

$email_id = $password = $emailErr = $passErr = $loginErr = "";

if(isset($_POST["butLogin"])){
    if(empty($_POST["email_id"])){
        $emailErr = "This field cannot be empty!";
    }else{
        $email_id = $_POST["email_id"];
    }

    if(empty($_POST["password"])){
        $passErr = "This field cannot be empty!";
    }else{
        $password = $_POST["password"];
    }

    if($email_id && $password){
        $check_record = mysqli_query($connection, "SELECT * FROM user WHERE password = '$password' AND email = '$email_id'");

        if (mysqli_num_rows($check_record) > 0 ){
            $row = mysqli_fetch_assoc($check_record);
            if(($email_id == $row['email']) && ($password == $row['password'])){
                if($row['user_type'] == 1){
                    header("Location: /php/admin/index");
                }else{
                    header("Location: /php/user/index");
                }
            }else{
                $loginErr = "Incorrect email or password.";
            }   
        }
    }
}
?>

First off take a look @ [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) & storing real passwords in a table is a really bad idea. — Alex K., Jun 19 '18 at 15:23
Because you're never hitting it, because `SELECT * FROM user WHERE password = '$password' AND email = '$email_id'` returns 0 rows. — aynber, Jun 19 '18 at 15:24
just a note you can use ternary statements to reduce lines: `$passErr = (empty($_POST['password']) ? 'this field cannot be empty' : $_POST['password'] )` — treyBake, Jun 19 '18 at 15:36
Note that the line `if(($email_id == $row['email']) && ($password == $row['password']))` is completely useless, because you've already ensured that the email and password match with your query. — Greg Schmidt, Jun 19 '18 at 15:38
Yeah you're right, my bad for not noticing it. Thank you everyone! I just saw it in a tutorial btw. — Nico Loco, Jun 19 '18 at 15:40

score 0 · Accepted Answer · answered Jun 19 '18 at 15:29

If account doesn't exist, mysqli_num_rows will return 0. You should move the else condition in that block.

    if (mysqli_num_rows($check_record) > 0 ){
        $row = mysqli_fetch_assoc($check_record);
        if(($email_id == $row['email']) && ($password == $row['password'])){
            if($row['user_type'] == 1){
                header("Location: /php/admin/index");
            }else{
                header("Location: /php/user/index");
            }
        }   
    } else{
        $loginErr = "Incorrect email or password.";
    }

Thank you! but now it's displaying "incorrect email or password" that supposed to be displayed **after** I enter something. P.S. I get it now, but why does the last else is triggering? — Nico Loco, Jun 19 '18 at 16:38

score 0 · Answer 2 · answered Jun 19 '18 at 15:32

The else statement will never get touched because it is checked on the wrong conditional. If the query returns 0, that is because there is no email/password combination found, but you do not handle this case.

Move your else statement to look like the following:

if($email_id && $password){
    $check_record = mysqli_query($connection, "SELECT * FROM user WHERE password = '$password' AND email = '$email_id'");

    if (mysqli_num_rows($check_record) > 0 ){

       "QUERY PROCESSING HERE"

    }else{
            $loginErr = "Incorrect email or password.";
    }
}

Thank you! but now it's displaying "incorrect email or password" that supposed to be displayed after I enter something. P.S. I get it now, but why does the last else is triggering? — Nico Loco, Jun 19 '18 at 16:45

Else statement is not applying

2 Answers2