-1

I was wondering if someone can please help me sort out a problem I'm having with getting a piece of code to work? I've spent hours on it so far, and although it seems simple enough it just won't cooperate:(

It's a simple login page, and at the moment all I'm trying to do is check the inputted name and password against those stored in the database to see if they exist there, and grant access if they match. That part is working fine, but the elseif part that comes afterwards doesn't do anything at all.

The elseif is supposed to echo out a message that says their Username or Password don't match, but nothing happens - when you click submit with the incorrect details, the page seems to submit but the message doesn't appear. Could the issue be to do with the loop that it's all sitting in?

I'm sorry if this is a silly question or if it's been answered before, it's driving me a bit nuts.

Thank you very much in advance to anyone who can help me out, it's greatly appreciated:)

P.S. I've tried using (mysqli_num_rows($query) == 0) to check the database for the input values too but that doesn't seem to make a difference.


$username = $_POST['username'];
$password = $_POST['password'];

$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result=mysqli_query($connection,$query);  

while($row=mysqli_fetch_assoc($result)) {

$dbusername = $row['username'];
$dbpassword = $row['password'];

//Check to see if posted values equal db values    
if ($dbusername == $username && $dbpassword == $password) {

echo "Hello " . $dbusername."!";  

} //else, check to see that either of the posted values don't match db values
elseif ($dbusername !== $username || $dbpassword !== $password) 
{

echo "Sorry, your username or password don't match";

} //end elseif
} //end while loop
} //end submit check
user2817369
  • 1
  • 2
    You don't need that if. You SQL query already checks if username and password is right... You just need to check if there are any results for your query. – Elias Soares Nov 02 '19 at 23:11
  • 1
    **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Nov 02 '19 at 23:16
  • 2
    **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman Nov 02 '19 at 23:16

1 Answers1

1

First of all the code has a serious security issue. Please read this: What is SQL injection?

The code inside elseif never gets executed because if you enter incorrect username and password the result of your query become empty so you never get into the loop.

Payam Mohammadi
  • 126
  • 8