-2

so this makes me go crazy! If the username is correct then it compares the password totally fine but if the username is wrong the comparison doesn't happen and this error is thrown at me. I want to compare the database value to the one the user entered.

<?php
$nm = $_POST['nm'];
$pw = $_POST['pw'];

try{
    $pdo = new PDO('mysql:host=localhost;dbname=gold-market_main', 'root', '');
    $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}catch(PDOException $e) {
    echo "Connection failed: ".$e->getMessage();
    die();
}

if($nm == null){
    die("Feld darf nicht leer sein!");
} elseif(ctype_alpha($nm[0]) or ctype_digit($nm[0])){



$sql = "SELECT k_nutzername, k_passwort FROM kunden WHERE k_nutzername IN('$nm');";
$result = $pdo->query($sql);
$row = $result->fetch(PDO::FETCH_ASSOC);

if("{$row['k_nutzername']}" != $nm) {
    //header("Location: login_wrongUN.html");     
    print("nm wrong");  
} elseif("{$row['k_passwort']}" != $pw) {
    //header("Location: login_wrongPW.html");  
    print("pw wrong"); 
} else {
    header("Location: konto.html");
}   

}else{
    die("Nutzername muss mit einem buchstaben oder einer Zahl beginnen!");
}
    $pdo = null;
?>
Tobias2712
  • 17
  • 3
  • First of all, you check plain password, very bad idea. And you have an error because fetching Array is null. – JoelCrypto May 26 '22 at 21:00
  • `if("{$row['k_nutzername']}" != $nm)`...this logic is wrong. Your sql query already checks this. So if the username doesn't match, the sql will return no rows - and that's why you get the error because you can't access a field of a row which doesn't exist. Instead of this, simply check whether $row is false or not – ADyson May 26 '22 at 21:02
  • Please don't make the title the only place where the actual error is mentioned. It should be in the text of your message. A title should just give us the general topic of your question, like: "Error in PDO login code I cannot solve.". Also, the line number of the error is important. – KIKO Software May 26 '22 at 21:03
  • Also your code is vulnerable to sql injection...please change to using prepared statements and parameters for better security and reliability – ADyson May 26 '22 at 21:03
  • And as an aside, you don't need `IN` to check a single value... `=` will do just fine – ADyson May 26 '22 at 21:04
  • Something like `"{$row['k_nutzername']}"` is equivalent to `$row['k_nutzername']`. – KIKO Software May 26 '22 at 21:05
  • Anyway, the real problem is that `$row` contains `false` when no rows match your query, and you don't check for that. – KIKO Software May 26 '22 at 21:07

1 Answers1

1

You could do something like. However it does not protect against unsecure password nor timing attacks.

<?php
$nm = $_POST['nm'];
$pw = $_POST['pw'];

try{
    $pdo = new PDO('mysql:host=localhost;dbname=gold-market_main', 'root', '');
    $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}catch(PDOException $e) {
    echo "Connection failed: ".$e->getMessage();
    die();
}

if($nm == null){
    die("Feld darf nicht leer sein!")
} //ctype does not protect



$sql = $pdo->prepare("SELECT k_nutzername, k_passwort FROM kunden WHERE k_nutzername = ?;");
$sql->bindValue(1,$nm,PDO::PARAM_STR); //bind a value to a query, called parametrized queries, most secure way against SQL injection.
$sql->execute();
$row = $sql->fetch(PDO::FETCH_ASSOC);

if(!$row) { // if the username not exists
    //header("Location: login_wrongUN.html");     
    print("nm wrong");  
} elseif($row['k_passwort'] != $pw) {
    //header("Location: login_wrongPW.html");  
    print("pw wrong"); 
} else {
    header("Location: konto.html");
}
    $pdo = null;
?>
JoelCrypto
  • 462
  • 2
  • 12
  • 2
    Only thing missing is explanation. `$row` equals `false` because the user doesn't exist. Thus the error 'trying to access array offset' (which is `'k_nutzername'`) from bool. Meaning `$row` is not array, so you cant access the offset `k_nutzername`. – Bruno Polo May 26 '22 at 21:31
  • From the bottomn of my heart THANK YOU!! Security is not very important rn because it's only for a school project. I tried everything and I'm not very into php and database stuff so you really really helped me out here!! – Tobias2712 May 26 '22 at 21:46