PHP PDO not properly evaluating if a statement has returned false on fetch

Question

- Passwords are stored in plain text just for the sake of ease, this will never be a deployed website. I know I should use Password_hash and that plain text passwords are a huge security vulnerability.

The issue I'm facing is that when a username and password is typed in, even if the values are not present in the database, the Submit.php line elseif ($query) executes and redirects the user back to the mainpage. The functionality I was expecting is that should incorrect credentials be entered into the form, such as the correct username but wrong password or vice versa it would be caught by if(!$query) and the error message inserted into the HTML form at the line . Since PDOStatement::fetch should return false, when there is a failure to return a row. So my understand was that if username and password, or one of the two do not match no rows should be available and a false would be the result. My assumption is that the fetch() sees to be evaluating to true always, or I have made an error in my boolean login in my if statements.

Login.php:

    <form class="Form" method = "post" name="form" action = "Login.php">
            <h1> Login </h1>
            <hr>
            <div class="Entry">
                <label for="username"><b>Username</b></label>
                <input type="text" placeholder="Enter Username" name ="username" id = "username" required> <br>
        
                <label for="password"><b>Password</b></label>
                <input type ="password" placeholder="Enter a Password" name = "password" id="password" required> <br> <br>
            <button type="submit" value ="login" name="submit" class="registerbtn"><b>Login</b></button>
            <br><br>
                <?= $errmsg ?> 
            <a href="Register.php"> Register if you don't have an account already</a>
            
        </div>  
</div>
    </form>

Submit.PHP:

<?php

session_start();
$errmsg = '';
$errors = array();

//This connects to the localhost database.

$dsn = "mysql:host=localhost;dbname=labwebsite";
$user = "root";
$passwd = "";

try 
{
    $pdo = new PDO($dsn, $user,$passwd);
}

catch(PDOEXception $e) 
{
    $strerr = $e->getMessage();
    $format = 'Failed to connect to Database: %s'; 
    echo sprintf($format, $strerr);
    exit;
}

if (isset ($_POST['submit']))
{
    $username = $_POST['username'];
    $password = $_POST['password'];
    
    $query = $pdo->prepare("SELECT * FROM users WHERE username = ? AND password = ? LIMIT 1");
    $query->bindParam(1, $username, PDO::PARAM_STR, 12);
    $query->bindParam(2, $password, PDO::PARAM_STR, 12);
    $query->execute();
    $query->fetch(); 

if(!$query)
        {
        array_push($errors,"Username and password is required");
        $errmsg = '<span id = "error" class = "errbox">'.implode('<br/>', $errors).'</span>';
        exit();
        }
    
    elseif ($query)
    {
            $_SESSION ['username'] = $username;
            $_SESSION ['permission'] = $permission;
            $_SESSION ['success'] = "You are now logged in";
            echo "success!"; //test to see if this was being executed.
            header ("location: index.php");
            exit();
        }
$query->close();
    }
$pdo=null;
?>

A SELECT that returns zero rows is a perfectly valid query -- it's not an error. You have to check for the contents of the result. — Alex Howansky, Apr 02 '21 at 18:40
Also note, the fundamental design of this code (i.e., including the password in the query and expecting to find a row) is going to prevent you from switching to password_hash() later. — Alex Howansky, Apr 02 '21 at 18:42
@AlexHowansky I have fixed the issue and made it a countable array, rather than make a new question, do you have any idea why my error message might not be inserted/displayed into the HTML? When it's wrong the page just clears the form with no indication that the wrong information was added. — syntaxerror, Apr 02 '21 at 19:03

score -1 · Answer 1 · answered Apr 02 '21 at 19:11

As Alex Howansky pointed out, since SELECT with 0 return is a valid query, I needed to change my if statements. I changed my fetch to $result = $query->fetch(PDO::FETCH_ASSOC); which returns the result as an associative array.

For reasons unknown to me, "Parameter must be an array" returned when I tried to do (count($result) == 0), so I had to cast the variable $result to an array.

if(count((array)$result) == 0)

and adjusted the elseif to be:

elseif ($result > 0)

be careful, `$result` could be `false`, and casting `false` into an array would give you an empty array — St3an, Apr 02 '21 at 19:20

PHP PDO not properly evaluating if a statement has returned false on fetch

1 Answers1