-2

I have created a login page however I'm having a hard time authenticating the user. I am able to establish a connection however my sanitation is not working. I'm not sure if its the select statement or HTML related. I've played around with different SELECT statements and troubleshooted the code further up but that doesn't seem to be the problem.

<?php

// Now I check if the data from the login form was submitted, isset() will check if the data exists.
if (!isset($_POST['username'], $_POST['user_password'])) {
    echo 'error2';
    // Could not get the data that should have been sent.
    exit('Please fill both the username and password fields!');
}

// Prepare our SQL, preparing the SQL statement will prevent SQL injection.
if ($stmt = $con->prepare("SELECT id, username, user_password FROM user_info WHERE username = ?")) {
    // Bind parameters (s = string, i = int, b = blob, etc), in our case the username is a string so we use "s"
    $stmt->bind_param('s', $_POST['username']);
    $stmt->execute();
    // Store the result so we can check if the account exists in the database.
    $stmt->store_result();

    if ($stmt->num_rows > 0) {
        $stmt->bind_result($id, $user_password);
        $stmt->fetch();
        // Account exists, now we verify the password.
        // Note: remember to use password_hash in your registration file to store the hashed passwords.
        if (password_verify($_POST['user_password'], $user_password)) {
            // Verification success! User has loggedin!
            // Create sessions so we know the user is logged in, they basically act like cookies but remember the data on the server.
            session_regenerate_id();
            $_SESSION['loggedin'] = true;
            $_SESSION['name'] = $_POST['username'];
            $_SESSION['id'] = $id;
            echo 'Welcome ' . $_SESSION['name'] . '!';
        } else {
            echo 'Incorrect password!';
        }
    } else {
        echo 'Incorrect username!';
    }

    $stmt->close();
} else {
    echo 'error3';
}
Dharman
  • 30,962
  • 25
  • 85
  • 135
Lawrence_matei
  • 77
  • 8

1 Answers1

0

You're selecting 3 columns in SELECT id, username, user_password but you're only binding two variables in $stmt->bind_result($id, $user_password);. This mismatch will cause an error.

There's no need to select username since that's the column you're matching in the WHERE clause. Change the select list to SELECT id, user_password to match the variables you're binding.

Barmar
  • 741,623
  • 53
  • 500
  • 612
  • 1
    If this was the case OP would be getting a warning. Either they do not have error reporting switched on or the code never gets that far. – Dharman Mar 30 '20 at 20:33
  • Dharman is right, it doesnt seem to go past if ($stmt = $con -> prepare("SELECT id, user_password FROM user_info WHERE username = ?")) { – Lawrence_matei Mar 30 '20 at 20:36
  • 1
    If it's not getting past there, you should be getting `error3`. Change that to display the SQL error. – Barmar Mar 30 '20 at 20:41
  • Thats how i discovered its not getting there. Im getting error3 to display and the rest is a blank screen. – Lawrence_matei Mar 30 '20 at 20:44
  • You should print `$con->error` to see the reason. – Barmar Mar 30 '20 at 20:45