PHP checking empty fields Login

Question

I have a select action and I want to check if the fields username and password are both empty. My issue is that if one of them is empty echo msg pops but, but if both are empty it goes straight to the next page.

<?php
error_reporting(E_ALL & ~E_NOTICE);
session_start();

if ($_POST['submit']) {
    include_once("connexion.php");
    $username = strip_tags($_POST['username']);
    $password = strip_tags($_POST['password']);

    $sql = "SELECT id, username, password  FROM users where username = '$username' and password ='$password'";
    $query = mysqli_query($dbCon,$sql);

    if ($query) {
        $row = mysqli_fetch_row($query);
        $userId = $row[0];
        $dbUsername = $row[1];
        $dbPassword = $row[2];
    }

    if ($username == $dbUsername && $password == $dbPassword) {
        $_SESSION['username'] = $username;
        $_SESSION['id'] = $userId;
        header('location:../index-2.php');
    } else {
        echo "wrong username or password";
    }
}
?>

Edit : I used Dharmesh Goswami solution :

if ($username == $dbUsername && !empty($username) && $password == $dbPassword && empty($password) )

It works like a charm ! Thank you.

Take a look at `empty()` (http://php.net/manual/en/function.empty.php) — Qirel, Sep 14 '15 at 12:35
That's because the DB result will be empty too, Check that the Username and Password isn't empty before comparing the values. — Epodax, Sep 14 '15 at 12:35
Check [PHP: SQL Injection](http://php.net/manual/en/security.database.sql-injection.php) as well - strip_tags() ain't nearly enough ... — Ragdata, Sep 14 '15 at 12:37

Dharmesh Goswami · Accepted Answer · 2015-09-14T13:11:29.240

3

Just check in if condition that both are not empty.

if ($username == $dbUsername && !empty($username) && $password == $dbPassword && !empty($password) )
{
    $_SESSION['username'] = $username;
    $_SESSION['id'] = $userId;
    header('location:../index-2.php');
}else
{
    echo "wrong username or password";
}

edited Sep 14 '15 at 13:11

answered Sep 14 '15 at 12:37

Dharmesh Goswami

1,155
2
13
30

Pupil · Answer 2 · 2015-09-14T12:39:48.677

2

You can apply empty() condition right after form posted.

if (isset($_POST['submit'])) {
  $username = strip_tags($_POST['username']);
  $password = strip_tags($_POST['password']);
  $username = trim($username);
  $password = trim($password);
  if (empty($username) || empty($password)) {
    // Print your error.
  }
}

|| will check if any one or both the fields are empty.

edited Sep 14 '15 at 12:39

answered Sep 14 '15 at 12:36

Pupil

23,834
6
44
66

2

You might want to consider trimming? – Script47 Sep 14 '15 at 12:38

Ali Idrees · Answer 3 · 2015-09-14T13:09:21.693

You can use the empty() function to check if input string is empty or not. To check if one of the fields is empty, you could use the XOR(^) operator. Failing which, the control should pass to AND(&&) operator which checks if both the fields are empty. If that fails too, you could say that none of the fields is empty. Hope this helps.

if(isset($_POST['submit']){
   if(empty($_POST['username'] ^ empty($_POST['password']){
   // code here to perform task if one field is left empty

   } else if(empty($POST['username'] && empty($_POST['password']){
   // code here to perform task if both fields are empty  

   } else {
   // code here to perform task when none of the fields is empty

   }

}

score 0 · Answer 4 · answered Sep 14 '15 at 12:45

0

You do like that

extract($_POST);
if($_POST['submit']) :
if($Username == "" && $Password == ""):
$_SESSION['error'] = "Can't Be Blanked User Name Or Password";
endif;
endif;

answered Sep 14 '15 at 12:45

CodeLove

462
4
14

This is somewhat over the top. Why would you extract `$_POST`? – Script47 Sep 14 '15 at 12:49
Also the PHP documentation clearly states not to use it on user input: *Warning Do not use extract() on untrusted data, like user input* (http://php.net/manual/en/function.extract.php) – Script47 Sep 14 '15 at 12:56
1

usually I do use extract($_POST); instead of $_POST['Username']; etc and because $_POST is in the array form so I have to define like that, simply extract and get output. Thank you. – CodeLove Sep 14 '15 at 13:24

score 0 · Answer 5 · answered Sep 14 '15 at 12:51

I would suggest using mysqli_real_escape_string

if(!empty($_POST['username'])) $username = mysqli_real_escape_string($dbCon, $_POST['username']);

same for password

$sql = 'SELECT id, username, password  FROM use...';
$result = $dbCon->query($sql);
$count = $conn->affected_rows;
if ($count == 1)
{
    $_SESSION['username'] = $username;
    $_SESSION['id'] = $userId;
    header('location:../index-2.php');
}else echo "wrong username or password";

also, wouldn't save username in sessions. Look up more on securing session.

PHP checking empty fields Login

5 Answers5