-2

I have a simple login form using PDO prepared statements which worked fine under php 7.3 but under 7.4 i find this has an issue

the code im using simply is:

if(isset($_POST['btn_login'])){

    $useremail = $_POST['txt_email'];
    $password = $_POST['txt_password'];

    $select= $pdo->prepare("select * from tbl_user where useremail='$useremail' AND password='$password'");

    $select->execute();

    $row=$select->fetch(PDO::FETCH_ASSOC);

    if($row['useremail']==$useremail AND $row['password']==$password){

        echo $success='Login Successful';

        header('refresh:1;dashboard.php');
    }else{

        echo 'Login Failed';
    }

using PDO and prepared statements whats the correct solution for php 7.4?

The Oz Snowman
  • 17
  • 1
  • 7
  • 1
    **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman Jun 14 '20 at 11:52
  • im aware of the security issue im simply trying to get the statement and query working as such becfore i worry about using an MD5 on it – The Oz Snowman Jun 14 '20 at 12:12
  • The thing is you should never use MD5 with passwords. When you think how to do it properly you will realize you need to remove all this code and write a new one. Security first! When you leave security last it only means twice the amount of work for you. – Dharman Jun 14 '20 at 12:15

1 Answers1

0

Because there is no result with your query. It returns FALSE and you try to access false as an array.

So test if row is filled with data
(see updated if statement).

Btw. do echo after header.

if($row && $row['useremail']==$useremail && $row['password']==$password){
    header('refresh:1;dashboard.php');
    echo $success='Login Successful';
} else{
    echo 'Login Failed';
}

Hint: use prepared statements

$select = $pdo->prepare("SELECT * FROM tbl_user WHERE useremail=? AND password=?");
$select->execute([$useremail, $password]);

Warning

Do never save passwords in plain text. Use encryption.

Markus Zeller
  • 8,516
  • 2
  • 29
  • 35
  • Thanks for the tip Markus. unfortunately even through i put in the right data to the query it returns the login fail. – The Oz Snowman Jun 14 '20 at 11:41
  • the prepared statement is setting the correct values into the query because if i use ``` print_r($select); print_r($row); ``` The $select is correct but the $row returns nothing despite the data being correct and in the table – The Oz Snowman Jun 14 '20 at 11:46
  • The query checks for password and username. So I think there will be a typo anywhere in the email or password. When those don't match, the database won't find anything. – Markus Zeller Jun 14 '20 at 11:50
  • The reason you should use prepared statements, because they prevent SQL injection. – Markus Zeller Jun 14 '20 at 11:51
  • ok so database has info@email.com as the useremail and the word password as the password (yes i know the security thingim just trying to get the statement and query working before i worry about md5ing it etc the $row when dumped simply returns bool(false) despite the select being correct... – The Oz Snowman Jun 14 '20 at 12:07