I have a php login script which connects to a MySQL Database and my else statement doesn't run -


this question has answer here:

here end login page first checks username against database if user exists if checks password against user in data base if match log in if don't don't log in. , part works fine if username not exist (and wrote supposed catch that) blank white page not intended result. can point out code breaking??

<?php  /*  handles login requests   */  define('db_host', 'localhost'); define('db_name', 'sec_usr'); define('db_user', 'sec_usr'); define('db_pass', 'n89tzah2w3uf4guu');  $con=mysql_connect(db_host,db_user,db_pass) or die("failed connect mysql: " . mysql_error()); $db=mysql_select_db(db_name, $con) or die("failed connect mysql: " . mysql_error());  /*  $id=$_post['user'];  $password = $_post['pass']; */  function login() {      session_start();     if(!empty($_post['user']) && !empty($_post['pass']))      {         $query = mysql_query("select * username username = '$_post[user]'") or die(mysql_error());         $row = mysql_fetch_array($query) or die(mysql_error());         if(!empty($row['username']))         {             if($row['userpass'] === $_post['pass'])             {                 echo"success"; /* works */             }             else             {                 echo"wrong pass"; /* works */             }         }         else         {             echo"wrong user"; /* not work */         }     }       }  if(isset($_post['submit'])) {     login(); }  ?> 

i had added piece question after had asked initial question how use mysqli original question have reverted question had nothing using mysqli had figured if people telling me use mysqli may ask same people how use not how use them together.

as pointed out on comments, problem in part:

$row = mysql_fetch_array($query) or die(mysql_error()); 

the php function mysql_fetch_array() returns false if there no rows found. when user doesn't exist, query return false, , php execute part after or. problem there no error mysql_error() display, since query executed successfully, that's why empty page.

to fix it, do:

$row = mysql_fetch_array($query); if($row) {     if($row['userpass'] === $_post['pass'])     {         echo "success";     }     else     {         echo "wrong pass";     } } else {     echo "wrong user"; } 

to on safe side, in case don't receive either user or pass variable, can add exception in previous if:

if(!empty($_post['user']) && !empty($_post['pass']))  {     // query database... } else {     // code not reach here.     throw new exception("form submitted user/pass not received."); } 

also, aware mysql_query("select * username username = '$_post[user]'") open sql injection attack, must escape username before using inside sql query. can read more on mysql_real_escape_string page. can done (taken page):

$query = sprintf("select * username username = '%s'",     mysql_real_escape_string($_post[user]) ); mysql_fetch_array($query); 

and last, original mysql api deprecated of php 5.5.0, it's recommended use mysqli or pdo_mysql extension.


Comments

Popular posts from this blog

twig - Using Twigbridge in a Laravel 5.1 Package -

jdbc - Not able to establish database connection in eclipse -

Kivy: Swiping (Carousel & ScreenManager) -