Login form partially working -using PDO MySql

PHP
#1

Hi, I’m a PHP newbie and I’m working on a college project. I have developed a login form, it works when I enter the correct username and password but when I enter anything different, I don’t get the error message. I’ve tried var_dump the errors, error reporting but I don’t get any errors. I have changed the page to use bind parameters, moved session_start at the top, and a few other things I’m losing track of but it behaves the same! I don’t understand what am I doing wrong. I’ve read in a few topics that we shouldn’t create users or passwords using text but this is for learning at the moment. Can you assist me, please?

Below is the PHP code:

> <?php 
> session_start();
> error_reporting(E_ALL);
> ini_set('display_errors', 1);
> 
> if (isset($_POST["Login"])) {
>       checkLogin($_POST["Name"], $_POST["Password"]);
>    }
> 
>    function checkLogin($Username, $Password) {
>       
>       $servername = "localhost";
>       $DB_username = "User1";
>       $DB_password = "password";
>       
>       try {
>          $conn = new PDO("mysql:host=" . $servername . ";dbname=e0912343_Fixtures", 
>         
>          $DB_username, $DB_password);
>         
>          $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
>          
>          $statement = $conn->query("SELECT * FROM Admin WHERE Username='" . $Username ."' AND PASSWORD='" . $Password . "'");
>          
>          $result = $statement->fetch();
>          
>          if ($result == null) { // customer id and password doesn't match
>              
>              echo '<script type="text/javascript">alert("The username or password entered is not valid. 
>         Please enter a valid username and password");</script>';
>              
>          } else {
>              // start the session
>              
>              $_SESSION['Name']= $Username;
>              
>              header("location: Admin.php"); // redirect user to the Admin.php web page
>              
>          }
>       }
>       catch(PDOException $e) {
>         
>           echo "An error occured: " . $e->getMessage();
>       }
> 
>       $conn = null;
>   
> }
> 
> ?>
#2

Hi there @Nessyd Welcome to the forums. I have anonymised your login credentials. Even if it is on localhost, it’s never a good idea to post usernames and passwords in a public place. :slight_smile:

#3

Oh! Of course! Thank you!

1 Like
#4

Stripping out the chevrons from your code and pasting it here https://phpcodechecker.com/ gives the following report:

PHP Syntax Check: Parse error: syntax error, unexpected ‘;’ in your code on line 17

$conn = new PDO("mysql:host=" . $servername . ;dbname=e0912343_Fixtures",

I don’t know why that would permit logging in with the correct details but deny it with the incorrect ones though.

#5

You’re actually missing a double quote to validate from. The OP’s code is correct.

That’s correct. The only change you would be doing is using password_hash() and password_verify() in place of weaker hashing algorithms. If you’re not using any, you’d have to use password_hash() on account registration and password_verify() on account login. You’d be at a much bigger advantage if you were using that compared to your peers.