1

In my login page. when username or password is incorrect then it is displays both if condition statements and also display this error: "Trying to access array offset on value of type null".kindly help me out to figure this out. thanks in advance.

Here is the code:

        if(isset($_POST['login']))
    {
        $username=$_POST['username'];
        $password=$_POST['password'];
        $sql="select * from users where user_name='".$username."' and password='".$password."' ";
        $result=mysqli_query($con,$sql); 
        $row=mysqli_fetch_array($result,MYSQLI_ASSOC);
        if (mysqli_num_rows($result) === 1) 
        {
            echo '<script>alert("Login successfully")</script>';
        }
        else
        {   
            if($row["user_name"] != $_POST['username'])
            {   
                echo "username is incorrect";
            }
             if($row["password"] != $_POST['password'])
            {
                echo "password is incorrect"; 
            }
        }
    }

and here is the error:

Notice: Trying to access array offset on value of type null in C:\xampp\htdocs\selfstudy\login.php on line 75

username is incorrect

Notice: Trying to access array offset on value of type null in C:\xampp\htdocs\selfstudy\login.php on line 79

password is incorrect

Alive to die - Anant
  • 70,531
  • 10
  • 51
  • 98
Rana Rashid
  • 21
  • 1
  • 4
  • Your script is open to [SQL Injection Attack](http://stackoverflow.com/questions/60174). Even [if you are escaping inputs, it's not safe!](http://stackoverflow.com/questions/5741187) You should always use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either the `MYSQLI_` or `PDO` API instead of concatenating user-provided values into the query. Never trust ANY user input! – Alive to die - Anant Sep 06 '22 at 05:03
  • ok. i will keep it in mind. thanks for the link – Rana Rashid Sep 06 '22 at 05:04
  • Because when username or password is incorrect then $row is empty and you are trying to access offset of that empty $row. – Aqib Javed Sep 06 '22 at 05:13

1 Answers1

3

The error is likely to be thrown when no rows are returned from the DB, since the code only handles the condition where number of rows returned is equal to 1.

When 0 rows are returned, $row is null. And when you are try to access array offsets $row["user_name"] and $row["password"], it throws the error Trying to access array offset on value of type null since $row["user_name"] and $row["password"] don't exist.

To fix this, you must either handle the case where mysqli_num_rows($result) === 0, or you must check isset($row["user_name"]) and isset($row["password"]) beforehand.

Note 1: Depending on your table design, the code will fail if more than 1 row is returned. I suggest appending your SQL query with LIMIT 1 to avoid this.

Note 2: It also seems like you're saving the passwords in the DB as plaintext. This is bad practice. Please look up password hashing. This article is a good starting point.

Note 3: You may want to consider implementing a generic error message in your else block instead. Returning something like "Your username/password is incorrect"

Note 4: You are open to SQL injection attacks. Please take a look at the answers in the provided link and implement parameterized prepared statements.

brondibur
  • 121
  • 2
  • 7