0

I am in the process of creating a signup system using mysql and PHP. I have been able to connect the system to a database and it works for when the username and password entered are correct. However, when the username and password is not correct (i.e anytime when the username/password pair is not stored in the database), it just leads to a blank white page. Currently, my code has it so that when the username and password are not correct, it prints our "Invalid username of password". Please see the code below, any help is appreciated. Thank you in advance!

    <?php

require_once 'source/session.php';
require_once 'source/db_connect.php';

if(isset($_POST['login-btn'])) {

    $user = $_POST['user-name'];
    $password = $_POST['user-pass'];

    try {
      $SQLQuery = "SELECT * FROM users WHERE username = :username";
      $statement = $conn->prepare($SQLQuery);
      $statement->execute(array(':username' => $user));

      while($row = $statement->fetch()) {
        $id = $row['id'];
        $hashed_password = $row['password'];
        $username = $row['username'];

        if(password_verify($password, $hashed_password)) {
          $_SESSION['id'] = $id;
          $_SESSION['username'] = $username;
          header('location: dashboard.php');
        }
        else {
          echo "Error: Invalid username or password";
        }
      }
    }
    catch (PDOException $e) {
      echo "Error: " . $e->getMessage();
    }

}

?>
anand chokshi
  • 1
  • 3
  • at a guess it _is_ actually directing you to dashboard.php but it's not being handled correctly on _that_ page. **OR** your post var is not set. whats the output if you put an echo outside of all the if statements eg `if($post){...} echo "didn't go in"`; – Joshua Jan 04 '21 at 06:46

1 Answers1

0

Well, currently your SQL query would return a set with 0 rows for a non-existent user, but that would not cause an error. It would just be an empty result set. Therefore it would not go through the while loop, it would just terminate without an error.

Your logic is leaving out the check to see whether $statement->rowCount() is zero.

To clarify in case this answer is confusing: You have 0 results if you enter a username that doesn't exist... then you do while(0) so you never get into that part of the code. No password check is done. And no error is thrown, so you never escape the try{} and get into the catch{} portion of the code. There is nothing returned here if the username turns up zero results from the database. You need to add another error in that case.

joshstrike
  • 1,753
  • 11
  • 15
  • thank you for responding. Can you please explain how I should go about fixing this? – anand chokshi Jan 04 '21 at 07:15
  • After $statement->execute you need to test how many rows were returned with $statement->rowCount(). If the number is zero, then the username did not match anything and you should send an error right away. – joshstrike Jan 04 '21 at 08:15
  • If this answer helps you then please mark it as correct. – joshstrike Jan 04 '21 at 08:16