0

Hello i dont get the $msg shown if my Username and Password is not the correct one.´Here is the php isset Part.

   if(isset($_POST['Submit'])){
$Username = $_REQUEST['Username'];
$Password  = $_REQUEST['Password'];
$hashed_password = '$2y$10$KWpZCg/vOumvk0TFiauhqu2kmBvDw3T0RwdWBrofKfgBkdI8ApyXe';
echo $hashed_password;
$tsql = "SELECT * FROM MasterarbeitDB.dbo.Benutzer";

$stmt = sqlsrv_prepare( $conn, $tsql, array(), array( "Scrollable" => SQLSRV_CURSOR_KEYSET ));
if (sqlsrv_execute($stmt)) {
while( $obj = sqlsrv_fetch_array( $stmt, SQLSRV_FETCH_ASSOC)) {
       if(password_verify($Password, $hashed_password) && $obj['Benutzer'] == $_POST['Username']) {
  $_SESSION['valid_user'] = true;
   $_SESSION['Username'] = $Username;
            header("location:ma_Qualianlegen.php?QualiID=".$QualiID."&TestaufstellungID=".$TestaufstellungID."&Bezeichnung=".$Bezeichnung."&StatusID=".$StatusID."&TID=". $TID ."&AuftragsID=". $AuftragsID ."");
            exit;
        }else {

            $msg="<span style='color:red'>falsche Login-Date</span>";
        } 
}
}
}

Any help why this happen? thx

Daniel
  • 668
  • 4
  • 17
  • 3
    I would strongly recommend looking into prepared statements to protect from SQL Injection, I would also more strongly recommend not storing plain text passwords - https://stackoverflow.com/questions/30279321/how-to-use-password-hash – Nigel Ren Apr 21 '19 at 15:27
  • 1
    In addition to what @NigelRen said, you are first doing a query for only users that match. Your check for whether they match inside the `while` loop is therefore meaningless; it's always going to succeed because you have only selected records where it will succeed. What you don't do is check for the situation where there are no matching records returned by the query at all, this is when your error should be generated. – Greg Schmidt Apr 21 '19 at 15:51
  • thx it works, changed to prepare and used te hash function. thx guys – Daniel Apr 21 '19 at 16:56

0 Answers0