If Else with isset: else part does not work [PHP] - php

Hello i dont get the $msg shown if my Username and Password is not the correct one.´Here is the php isset Part.
if(isset($_POST['Submit'])){
$Username = $_REQUEST['Username'];
$Password = $_REQUEST['Password'];
$hashed_password = '$2y$10$KWpZCg/vOumvk0TFiauhqu2kmBvDw3T0RwdWBrofKfgBkdI8ApyXe';
echo $hashed_password;
$tsql = "SELECT * FROM MasterarbeitDB.dbo.Benutzer";
$stmt = sqlsrv_prepare( $conn, $tsql, array(), array( "Scrollable" => SQLSRV_CURSOR_KEYSET ));
if (sqlsrv_execute($stmt)) {
while( $obj = sqlsrv_fetch_array( $stmt, SQLSRV_FETCH_ASSOC)) {
if(password_verify($Password, $hashed_password) && $obj['Benutzer'] == $_POST['Username']) {
$_SESSION['valid_user'] = true;
$_SESSION['Username'] = $Username;
header("location:ma_Qualianlegen.php?QualiID=".$QualiID."&TestaufstellungID=".$TestaufstellungID."&Bezeichnung=".$Bezeichnung."&StatusID=".$StatusID."&TID=". $TID ."&AuftragsID=". $AuftragsID ."");
exit;
}else {
$msg="<span style='color:red'>falsche Login-Date</span>";
}
}
}
}
Any help why this happen? thx

Related

Why does my foreach loop not get executed?

I made a login form. The form works and after the user inputs the right email and password, access is granted. There is an issue.
I use a foreach loop to test all results (should be one account).
foreach ($result as $outp) {
$role = $outp->role;
$name= $outp->name;
$surname= $outp->surname;
$_SESSION["name"] = $name;
$_SESSION["surname"] = $surname;
$_SESSION["role"] = $role;
if($_SESSION["role"] == 'Admin') {
header("location:index.php");
} else
if($_SESSION["role"] == 'User') {
header("location:../index.php");
} else {
header("location:login.php");
}
}
This code is supposed to check for the account role, and determine which page it can go to.
The issue is that everything inside of the foreach loop does not get executed.
Here you see the full code including the foreach loop (only php):
if(isset($_POST["login"]))
{
if(empty($_POST["email"]) || empty($_POST["password"]))
{
$message = '<label>Some fields are still empty</label>';
}
else
{
$query = "SELECT * FROM account WHERE email = :email AND password= :password";
$statement = $con->prepare($query);
$statement->execute(
array(
'email' => htmlspecialchars($_POST["email"]),
'password' => htmlspecialchars($_POST["password"])
)
);
$count = $statement->rowCount();
if($count > 0)
{
$_SESSION["email"] = $_POST["password"];
$username = $_SESSION["email"];
$query = "SELECT role, name, surname FROM account WHERE email = :email";
$stm = $con->prepare($query);
$stm->bindParam(':email', $email, PDO::PARAM_STR, 20);
$stm->execute();
$result = $stm->fetchAll(PDO::FETCH_OBJ);
foreach ($result as $pers) {
$rol = $pers->rol;
$voornaam = $pers->voornaam;
$achternaam = $pers->achternaam;
$_SESSION["voornaam"] = $voornaam;
$_SESSION["achternaam"] = $achternaam;
$_SESSION["rol"] = $rol;
if($_SESSION["rol"] == 'Admin') {
header("location:index.php");
} else
if($_SESSION["rol"] == 'Gebruiker') {
header("location:../index.php");
} else {
header("location:login.php");
}
}
}
else
{
$message = '<label>Wrong input</label>';
}
}
}
$email is used in SQL but no where declared or assigned.
if($count > 0)
{
$_SESSION["email"] = $_POST["email"];
$email = $_SESSION["email"];
$query = "SELECT role, name, surname FROM account WHERE email = :email";
$stm = $con->prepare($query);
$stm->bindParam(':email', $email, PDO::PARAM_STR, 20);
$stm->execute();
$result = $stm->fetchAll(PDO::FETCH_OBJ);
foreach ($result as $pers) {
$rol = $pers->rol;
$voornaam = $pers->voornaam;
$achternaam = $pers->achternaam;
$_SESSION["voornaam"] = $voornaam;
$_SESSION["achternaam"] = $achternaam;
$_SESSION["rol"] = $rol;
if($_SESSION["rol"] == 'Admin') {
header("location:index.php");
} else
if($_SESSION["rol"] == 'Gebruiker') {
header("location:../index.php");
} else {
header("location:login.php");
}
}
}
else
{
$message = '<label>Wrong input</label>';
}
}
Something wrong here in your code.. why assign posted password value to email?
$_SESSION["email"] = $_POST["password"];
$username = $_SESSION["email"];

PHP better login validation for PDO

My code works perfectly until the validation, When i enter wrong username it doesn't show Invaild Username or Password! but if i entered correct username but wrong password the message appears, How do i fix that?
if(isset($_POST['login'])){
$username = $_POST['username'];
$password = $_POST['password'];
try {
$sql = "SELECT * FROM users WHERE username=:username";
$stmt = $db->prepare($sql);
$stmt->execute(array(':username' => $username));
while($row = $stmt->fetch()){
$user_id = $row['user_id'];
$username = $row['username'];
$hash_password = $row['password'];
if(password_verify($password, $hash_password)){
$_SESSION['user_id'] = $user_id;
$_SESSION['username'] = $username;
} else {
die("Invaild Username or Password!");
}
}
}
catch(PDOException $e)
{
echo "An error occurred " . $e->getMessage();
}
}
if(isset($_POST['login'])){
$username = $_POST['username'];
$password = $_POST['password'];
try {
$sql = "SELECT * FROM users WHERE username=:username";
$stmt = $db->prepare($sql);
$res = $stmt->execute(array(':username' => $username));
if (!$res){
die("Invaild Username!");
}
while($row = $stmt->fetch()){
$user_id = $row['user_id'];
$username = $row['username'];
$hash_password = $row['password'];
if(password_verify($password, $hash_password)){
$_SESSION['user_id'] = $user_id;
$_SESSION['username'] = $username;
} else {
die("Invaild Username or Password!");
}
}
} catch(PDOException $e)
{
echo "An error occurred " . $e->getMessage();
}
}

why won't this page redirect?

I'm having a problem with redirecting a page in php.
<?php
include '../include/dbfunctions.php';
$email = $password = "";
$err = "";
if ($_SERVER["REQUEST_METHOD"] == "POST") {
if (isset($_POST['login']) && !empty($_POST['password'])) {
$email = trim($_POST['email']);
$password = trim($_POST['password']);
$link = get_db_connection();
if (mysqli_connect_errno()) {
die(" Something went wrong ! ");
}
$user_email = mysqli_real_escape_string($link, $email);
$user_password = mysqli_real_escape_string($link, $password);
$query = "SELECT username FROM user WHERE user_email = '$user_email' AND user_password = SHA1('$user_password') AND user_active = '1';";
$data = mysqli_query($link, $query);
if (mysqli_num_rows($data) == 1) {
$row = mysqli_fetch_array($data);
$username = $row['username'];
mysqli_close($link);
if (!empty($username)) {
header('location:http://www.xxxxxxxxxxxxxx.be/login/dashboard.php');
exit();
}
} else {
$err = "Invalid combination of e-mail and password";
echo $err;
}
} else {
}
}
?>
I can't figure it out. If i fill in an invalid password or email, i get the error message. But when they are correct, nothing happens.
if (!empty($username)) {
header('location:http://www.yoursite.be/login/dashboard.php?error=error in login please try agine');
exit();
}
if (!empty($username)) {
header('location:http://www.xxxxxxxxxxxxxx.be/login/dashboard.php');
exit();}
$username might be empty.

MySql Password_verify() not working?

during registration, the user's password is saved in the database as an encrypted BCRYPT password.
My question is: Why can't I verify the encrypted database password with the entered password?
CODE:
<?php //POST VARIABLES
$submit = $_POST['login_submit'];
$username = $_POST['login_username'];
$password = $_POST['login_password'];
$email = $_POST['login_email'];
require 'password_config.php';
if(isset($submit)){
require 'db/connect.php';
//PASSWORD VERIFYING
$pass_query = "SELECT password FROM users WHERE email='$email'";
$queried = mysql_query($pass_query);
while($row = mysql_fetch_array($queried)){
$user_pass = $row['password'];
$veri_password = password_verify($password, $user_pass);
}
//CHECKING NUM ROWS
$sql = "SELECT id, username FROM users WHERE password='$veri_password' AND email='$email'";
$entered_user = mysql_query($sql);
$num_rows = mysql_num_rows($entered_user);
//ERRS ARRAY DECLARED
$errors = array();
//FURTHER VERIFYING
if( $num_rows != 1 )
{
$errors[] = '-Account does not exist ';
}
elseif( $num_rows == 1 )
{
session_start();
while($row = mysql_fetch_array($entered_user)){
$_SESSION['key'] === true;
$_SESSION['id'] = $row['id'];
$_SESSION['email'] = $email;
$_SESSION['user'] = $row['username'];
$_SESSION['pass'] = $password;
header('Location: profile.php');
exit();
}
}
}
?>
I'm receiving an error that says 'account does not exist' even when I enter valid information.
Thanks,
-Eugene
EDIT CHANGED TO THIS:
<?php //POST VARIABLES
$submit = $_POST['login_submit'];
$username = $_POST['login_username'];
$password = $_POST['login_password'];
$email = $_POST['login_email'];
require 'password_config.php';
if(isset($submit)){
require 'db/connect.php';
//PASSWORD VERIFYING
$pass_query = "SELECT password FROM users WHERE email='$email'";
$queried = mysql_query($pass_query);
while($row = mysql_fetch_array($queried)){
$user_pass = $row['password'];
$veri_password = password_verify($password, $user_pass);
}
if($veri_password === true){
//CHECKING NUM ROWS
$sql = "SELECT id, username FROM users WHERE password='$user_pass' AND email='$email'";
$entered_user = mysql_query($sql);
$num_rows = mysql_num_rows($entered_user);
//ERRS ARRAY ESTABLISHED
$errors = array();
//FURTHER VERIFYING
if( $num_rows != 1 )
{
$errors[] = '-Account does not exist ';
}
elseif( $num_rows == 1 )
{
session_start();
while($row = mysql_fetch_array($entered_user)){
$_SESSION['key'] === true;
$_SESSION['id'] = $row['id'];
$_SESSION['email'] = $email;
$_SESSION['user'] = $row['username'];
$_SESSION['pass'] = $password;
header('Location: profile.php');
exit();
}
}
}
}
?>
change to:
$sql = "SELECT id, username FROM users WHERE email='$email'";
Also change:
$veri_password = password_verify($password, $user_pass);
to
if(!password_verify($password, $user_pass)){
echo 'invalid password';
exit;
}
anyway, your code is vulnerable to sql injection. please consider using prepared statements in your queries or escape input strings with mysql_real_escape_string. . And also it is recommended to use mysqli or pdo instead of procedural methods

mysqli prepared statement in login form doesn't work?

I am trying to secure my login form using mysqli prepared statement.
I am using the following code and I'm keep getting the wrong information entered error!
here is my code:
if (isset($_POST["email"]) && isset($_POST["password"])) {
$manager = $_POST["email"];
$password = sha1(sha1($_POST['password']).$_POST['password']);
$stores = $_POST["stores"];
// Connect to the MySQL database
include "config/connect.php";
$stmt = mysqli_prepare(
$db_conx,
"SELECT email, password, storeShop
FROM storename
WHERE email = ?
AND password = ?
AND storeShop = ?"
);
$manager = $_POST["email"];
$password = sha1(sha1($_POST['password']).$_POST['password']);
$stores = $_POST["stores"];
//after validation, of course
mysqli_stmt_bind_param($stmt, "sss", $manager, $password, $stores);
mysqli_stmt_execute($stmt);
if (mysqli_affected_rows($db_conx))
{
mysqli_stmt_close($stmt);//<-- CLEAN UP AFTER YOURSELF!
//update was successful
$id = mysqli_insert_id($db_conx);
}
$existCount = mysqli_num_rows($query); // count the row nums
if ($existCount == 1) { // evaluate the count
while($row = mysqli_fetch_array($query, MYSQLI_ASSOC)){
$storeShop = $row["storeShop"];
}
$_SESSION["storeShop"] = $storeShop;
$_SESSION["manager"] = $manager;
$_SESSION["password"] = $password;
$_SESSION['storeShop'] = $storeShop;
header("location: dashboard");
exit();
} else {
echo "wrong information entered";
exit();
}
}
but when I use this code, it works fine:
$sql = "SELECT * FROM storename WHERE email='$manager' AND password='$password' AND storeShop='$stores'";
$query = mysqli_query($db_conx, $sql);
could someone please tell me what I am doing wrong?
Thanks in advance.
EDIT, This still doesn't work.
if (isset($_POST["email"]) && isset($_POST["password"])) {
$manager = $_POST["email"];
$password = sha1(sha1($_POST['password']).$_POST['password']);
$stores = $_POST["stores"];
// Connect to the MySQL database
include "config/connect.php";
$stmt = mysqli_prepare(
$db_conx,
"SELECT email, password, storeShop
FROM members
WHERE email = ?
AND password = ?
AND storeShop = ?"
);
$manager = $_POST["email"];
$password = sha1(sha1($_POST['password']).$_POST['password']);
$stores = $_POST["stores"];
//after validation, of course
mysqli_stmt_bind_param($stmt, "sss", $manager, $password, $stores);
mysqli_stmt_execute($stmt);
if (mysqli_affected_rows($db_conx))
{
$existCount = mysqli_stmt_affected_rows($stmt);
mysqli_stmt_execute($stmt); // count the row nums
if ($existCount == 1) { // evaluate the count
while($row = mysqli_fetch_array($stmt, MYSQLI_ASSOC)){
$storeShop = $row["storeShop"];
}
$_SESSION["storeShop"] = $storeShop;
$_SESSION["manager"] = $manager;
$_SESSION["password"] = $password;
$_SESSION['storeShop'] = $storeShop;
header("location: dashboard");
mysqli_stmt_close($stmt);
exit();
} else {
header("Location: data");
exit();
}
//<-- CLEAN UP AFTER YOURSELF!
//update was successful
}
}
SECOND EDIT:
if (isset($_POST["email"]) && isset($_POST["password"])) {
$manager = $_POST["email"];
$password = sha1(sha1($_POST['password']).$_POST['password']);
$stores = $_POST["stores"];
// Connect to the MySQL database
include "config/connect.php";
$stmt = mysqli_prepare(
$db_conx,
"SELECT email, password, storeShop
FROM members
WHERE email = ?
AND password = ?
AND storeShop = ?"
);
$manager = $_POST["email"];
$password = sha1(sha1($_POST['password']).$_POST['password']);
$stores = $_POST["stores"];
//after validation, of course
mysqli_stmt_bind_param($stmt, "sss", $manager, $password, $stores);
mysqli_stmt_execute($stmt);
if (mysqli_affected_rows($db_conx))
{
$existCount = mysqli_stmt_affected_rows($stmt); // count the row nums
if ($existCount == 1) { // evaluate the count
if (mysqli_stmt_affected_rows($stmt))
{
while($row = mysqli_fetch_array($stmt, MYSQLI_ASSOC)){
$storeShop = $row["storeShop"];
}
$_SESSION["storeShop"] = $storeShop;
$_SESSION["manager"] = $manager;
$_SESSION["password"] = $password;
$_SESSION['storeShop'] = $storeShop;
header("location: dashboard");
mysqli_stmt_close($stmt);
exit();
} else {
header("Location: data");
exit();
}
}
//<-- CLEAN UP AFTER YOURSELF!
//update was successful
}
}
This works for me:
$stmt = $db_conx->prepare("SELECT email, password, storeShop
FROM storename
WHERE email = ?
AND password = ?
AND storeShop = ?");
$stmt->bind_param('sss', $manager, $password, $stores);
$stmt->execute();
$stmt->bind_result($manager, $password, $stores);
$stmt->store_result();
if($stmt->num_rows == 1) //To check if the row exists
{
while($stmt->fetch()) //fetching the contents of the row
{
$_SESSION["storeShop"] = $storeShop;
$_SESSION["manager"] = $manager;
$_SESSION["password"] = $password;
$_SESSION['storeShop'] = $storeShop;
header("location: dashboard");
exit();
}
}
else {
header("Location: data");
exit();
}
$stmt->close();
You need to update this;
$existCount = mysqli_num_rows($query);
to
$existCount = mysqli_stmt_affected_rows($stmt);
Refer here for further details
Edit:
And in your code it should be ;
if (mysqli_stmt_affected_rows($stmt))
{
while($row = mysqli_fetch_array($stmt, MYSQLI_ASSOC)){
$storeShop = $row["storeShop"];
}
$_SESSION["storeShop"] = $storeShop;
$_SESSION["manager"] = $manager;
$_SESSION["password"] = $password;
$_SESSION['storeShop'] = $storeShop;
header("location: dashboard");
mysqli_stmt_close($stmt);
exit();
} else {
header("Location: data");
exit();
}

Categories