0

I upgraded my server to PHP 8 and now when I login without a valid username I get

Warning: Trying to access array offset on value of type null in"

If I understand correctly it's due to PHP now catching this issue and old versions didn't pick it up. I have to be honest and say this is out of my league so I'm hoping someone can help adjust the code. According to the error it's on line 117 which is

if (password_verify($password, $user['password']))

Full code is below for the section if you need anything else let me know.

    // CHECK IF DETAILS ENTERED ARE VALID (VALIDATION!)
if (empty($username)) {
    $errors['username'] = "Username required";
}
if (empty($password)) {
    $errors['password'] = "Password required";
}

if (count($errors) === 0) {
    $sql = "SELECT * FROM users WHERE email=? OR username=? LIMIT 1";
    $stmt = $conn->prepare($sql);
    $stmt->bind_param('ss', $username, $username,);
    $stmt->execute();
    $result = $stmt->get_result();
    $user = $result->fetch_assoc();

    if (password_verify($password, $user['password'])) {
        // LOGIN SUCCESS
        $_SESSION['id'] = $user['id'];
        $_SESSION['username'] = $user['username'];
        $_SESSION['email'] = $user['email'];
        $_SESSION['verified'] = $user['verified'];
        // SET USER MESSAGE ON HOME PAGE
        $_SESSION['message'] = "You are now logged in";
        $_SESSION['alert-class'] = "alert-success";
        header('location: index.php');
        exit(0);
    } else {
        $errors['login_fail'] = "Sorry wrong credentials";
    }
}
Dharman
  • 30,962
  • 25
  • 85
  • 135
Hoube78
  • 45
  • 6
  • 2
    Is `$user = $result->fetch_assoc();` returning null? Better check that before going `$user['password']`. – ggorlen Apr 15 '21 at 21:38
  • Better still, why not hash password and search for user/hashed password combination in the db. if there are no results, your user/password combination is wrong. Also, you mitigate the risk of knowing if just password is wrong, just the username or both (It's a security risk). This way you simply look at the result's row count and don't even need to fetch the user, set token, session, cookie with subject id of the username and move on. – Tala Apr 15 '21 at 21:44
  • 1
    So I don't see the error if I enter a valid username it only occurs when an invalid useranme is entered. So in yes it must be returning null as its an invalid username. – Hoube78 Apr 15 '21 at 21:45
  • @UdoE. PHP upgrade has nothing to do with the data on the database. Heck! Even database upgrades has nothing to do with the data on the database! – Tala Apr 15 '21 at 21:48
  • So if I understand correctly what happens before line 117 is the website is checking if I have a username or email in database. If it does not find any match then this is when it throws the error. This also matches my testing when it only throws the error when an invalid username or email are entered. – Hoube78 Apr 15 '21 at 21:49
  • 1
    @Cunning "why not hash password and search" because the output of `password_hash()` is not consistent due to the automatic generation of the salt. – Sammitch Apr 15 '21 at 21:50
  • I don't believe the error is occurring in this code. I think it occurs where `$username` is set. The error message includes a line number. Please post the complete error message, and the section of code that includes that line. – Tangentially Perpendicular Apr 15 '21 at 21:53
  • @TangentiallyPerpendicular The error occurs on line 117 which I posted but I think you are correct the issue is not password but username as it only gives the error when an invalid username is entered. So when it does not catch a valid username then it throws the error. The code for this is included if it helps. – Hoube78 Apr 15 '21 at 21:58

0 Answers0