0

I've been stuck on this for some time and I don't seem to be able to figure out what the issue is. I am making a very simple, basic sign in page for my project, however I can't seem to get my 'else' statement to work.

When a username and password are entered correctly, I can successfully get the Sign In message to show up, however if I enter username&password incorrectly, I would want to have no results and still show 'Incorrect username or password' message, however it always shows as blank.

PS: I know about sessions and the rest, I just want to get this sorted before I even attempt to work on those.

I looked elsewhere in the past few hours but I was unable to find any help that could help me troubleshoot.

$user_name = $_POST['username'];
$user_password = $_POST['password'];


if (isset($_POST["username"], $_POST["password"]))  {

    $results = $pdo->query("SELECT user_name, user_password FROM users WHERE user_name = '" . $user_name . "' AND  user_password = '" . $user_password . "'");

    foreach ($results as $result) {

        $result = $pdo->query("SELECT COUNT(*) FROM  users WHERE user_name = '" . $user_name . "' AND  user_password = '" . $user_password . "'")->fetchColumn();

        //var_dump($result);

        if ($result > 0){
            echo "Signed In";
        } else {
            echo "Incorrect Username or Password!";
        }
    }

}
Martin
  • 22,212
  • 11
  • 70
  • 132
RolandUdv
  • 33
  • 7
  • 1
    Pleas have a read of [How to use password_hash](https://stackoverflow.com/questions/30279321/how-to-use-password-hash) – Nigel Ren Dec 16 '18 at 16:40
  • What does `var_dump($result);` show? – Martin Dec 16 '18 at 16:55
  • it shows `/srv/http/default/public/signin.php:20:string '1' (length=1)` – RolandUdv Dec 16 '18 at 16:57
  • when it should be zero? – Martin Dec 16 '18 at 17:00
  • No, when the username and password are entered correctly, I can't test what it'd show when entered wrong as it shows blank. – RolandUdv Dec 16 '18 at 17:02
  • right, so the issue is not the else statement but your data collection -- the first PDO – Martin Dec 16 '18 at 17:03
  • Read the PHP error log, what does it tell you ? – Martin Dec 16 '18 at 17:04
  • Unfortunately vagrant does not store any logs so I am unable to check it. I however checked if the query works and it returns everything fine in the database – RolandUdv Dec 16 '18 at 17:12
  • 1
    I fnd it hard to believe any programming environment does not store logs. If this is indeed true then you need to stop using Vagrant as soon as possible and use something which helps rather than hinders you. – Martin Dec 16 '18 at 17:14
  • Unfortunately it's true, it's a University project and we are required to use this, sadly. I have just checked it again in the database and with `->fetchColumn();` the user_name returns as 1, while the user_password returns with 'admin', which is simply the password in this case. I've changed it to `fetch();` and now I get this from var_dump `array (size=2) 'COUNT(*)' => string '1' (length=1) 0 => string '1' (length=1)` I assume, that also changed the password to '1', however it still doesn't make the else statement work. – RolandUdv Dec 16 '18 at 17:17
  • You're incorrect. [Google it](https://www.google.com/search?q=how+to+get+error+logs+on+Vagrant). – Martin Dec 16 '18 at 17:24

1 Answers1

0

Your first PDO is incorrect.

Passwords should always be hashed. Do it.

You need to change to this:

 $results = $pdo->prepare("SELECT user_name, user_password FROM users 
            WHERE user_name = :user ");
 $results->execute(['user' => $user_name]);
 $found = $results->fetch();
 print_r("found row: ".$found);

Please read this and this to improve your SQL handling in PHP.

Also read this (and especially this answer) and also read about exploring PHP error logs.

As you use Vagrant and erroneously mention, that Vagrant does not give error logs, please Google this information to find that Vagrant DOES give PHP error logs. You need to use them.

almost every part of your code is NOT best practise and needs to be heavily improved.

Complete fix of your code

Assuming username is a unique value

if (!empty($_POST["username"]) && !empty($_POST["password"]))  {

    $results = $pdo->prepare("SELECT user_name, user_password FROM users 
               WHERE user_name = :user");
    $results->execute([':user' => $_POST["username"] ]);
    $foundRow = $results->fetchAll();

    if(count($foundRow) < 1){  
       // no user found
       echo "Incorrect Username or Password!";
    }
    elseif(password_verify($_POST["password"],$foundRow['user_password']) !== true){
       // bad password given
       echo "Incorrect Username or Password!";
    }
    else {
       echo "Signed In";   
    }

}
Community
  • 1
  • 1
Martin
  • 22,212
  • 11
  • 70
  • 132