0

I'm trying to construct a script - login.php - which checks whether the entered username exists in the database, then compares whether entered password and password in the database match and is supposed to print the result of these operations on the web page (for now).

First of all the login page:

<?php
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);
require_once("scripts/config.php");
require_once("scripts/helperClass.php");
$username = strip_tags($_POST["username"]);
$password = strip_tags($_POST["password"]);
echo helperClass::checkCredentials($username, $password);
?>

Now the helper class: (or at least the relevant function):

<?php
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);
class helperClass {
    public static function checkCredentials($UserName, $Password) {
        try {
            $pdo = new PDO("mysql:host=".mydbhost.";dbname=".mydbname, myuname, mydbpw);
            $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
        }
        catch(PDOException $ex) {
            throw(new PDOException($ex->getMessage(), (int) $ex->getCode()));
        }
        $statement = $pdo->prepare("SELECT UserId, Password FROM ChatUsers WHERE (? = UserName) OR (? = E_Mail)");
        $statement->execute(array($UserName, $UserName));
        $foundUser = $statement->fetch(PDO::FETCH_ASSOC);
        if($foundUser) {
            $pwCorrect = $foundUser["Password"] == $Password;
            if(pwCorrect) {
                $statement = $pdo->prepare("UPDATE ChatUsers SET LoggedIn = true WHERE ? = UserId");
                $statement->execute(array($foundUser["UserId"]));
                return true;
            } 
            else {
                return false; 
            } 
        } 
        else {
            return false;
        }
    }
}
?>

In config.php I define the actual connection data. It compiles fine locally, but then eventually crashes with a PDOException as the request timed out. (My PHP editor has pDO support so even locally connection to the external database should work). Online I just get a white screen of death.

I implemented error displaying now, and can see it's working as I get extra notices which were previously silent. Judging from the time the login page takes to load, the SQL query gets executed, but the page still is blank, no errors, no return. Is there anything else I overlooked?

TimB
  • 970
  • 8
  • 17
  • 2
    typos `".mydbhost.";dbname=".mydbname` missing dollar signs in front of `mydbname` and `mydbhost` -> `$mydbhost`, `$mydbname` Same for coming after params `myuname, mydbpw` and in addition those vars where never initialized – Alex Feb 05 '19 at 19:06
  • OK... Thanks. Will fix it. – TimB Feb 05 '19 at 19:09
  • @alex ah, no. these are not typos. - in config.php( I use define("mydbhost", "whatever.the.host"); etc. no $ sign required for these. Also, where do you see a typo? new PDO("mysql:host=whatever.the.host;dbname="... would be the result... – TimB Feb 05 '19 at 19:14
  • 1
    no it is still very bad practice. if `mydbname` is a real string constant why don't you just `"mysql:host=mydbhost;dbname=mydbname"`? Why are you using concatenation `.` to join constant strings? – Alex Feb 05 '19 at 19:17
  • Turn on error reporting: https://stackoverflow.com/a/21429652/296555 and also https://stackoverflow.com/a/14578644/296555 – waterloomatt Feb 05 '19 at 19:19
  • because config.php is protected, whilst the helper class is not (yet). once I can set dey for all I'll probably change it t your suggestion. for now... I don't think the bad practice is causing aforementioned problem? – TimB Feb 05 '19 at 19:20
  • @waterloomatt locally, where error reporting is on, I don't get any errors until the request times out. online i have no access to php.ini. – TimB Feb 05 '19 at 19:21
  • OK, thanks. Will do... – TimB Feb 05 '19 at 19:27
  • Also, pass options to your connection and set `ATTR_ERRMODE` to `PDO::ERRMODE_EXCEPTION`. See here - https://phpdelusions.net/pdo#dsn – waterloomatt Feb 05 '19 at 19:28
  • updated question. – TimB Feb 05 '19 at 20:54
  • `catch(PDOException $ex) { throw(new PDOException($ex->getMessage(), (int) $ex->getCode()));` - extremely useless – Alex Feb 05 '19 at 21:05
  • Why? That way, it bubbles up to the PHP exception handler, displaying only message and number, no stacktrace - aka no sensitive data. And please, can you do CONSTRUCTIVE criticism? Tell me how to do it better, perhaps? – TimB Feb 05 '19 at 21:08
  • Is it timing out on connection or when you execute your statement? You can shorten the timeout period - https://stackoverflow.com/q/21403082/296555 – waterloomatt Feb 12 '19 at 14:21
  • All good, I fixed it by now. STrATO only permits 4 internal redirects, which apparently was the issue, and all others were just consequences of that initial issue. – TimB Feb 12 '19 at 14:22

0 Answers0