Fabio Posted August 28, 2017 Share Posted August 28, 2017 Hi to everyone, I am preparing the log-In page and when I am going to controll if the user is present in the user-list with two fields: matricola and password, MySQL return zero record. I do not understand where is the error because I am novice in programming with PHP. The code is: function controlUser($matricola, $password) { include $_SERVER['DOCUMENT_ROOT'] . '../db.conn.php'; try { $sql = 'SELECT COUNT(*) FROM personale WHERE Matricola = :matricola AND password = :password'; $s = $pdo -> prepare($sql); $s -> bindValue(':matricola', $matricola); $s -> bindValue(':password', $password); $s -> execute(); } catch (PDOException $e) { $error = 'Errore durante la ricerca!'; include $_SERVER['DOCUMENT_ROOT'] . '../error.html.php'; exit(); } $row = $s -> fetch(); if ($row[0] > 0) { return TRUE; } else { return FALSE; } } Link to comment Share on other sites More sharing options...
dsonesuk Posted August 28, 2017 Share Posted August 28, 2017 Is the password in database encrypted, is the password you are comparing encrypted? Link to comment Share on other sites More sharing options...
Fabio Posted August 29, 2017 Author Share Posted August 29, 2017 Yes is encript with MD5 function, I controlled the variable $password and it was correct with that in the database Link to comment Share on other sites More sharing options...
justsomeguy Posted August 29, 2017 Share Posted August 29, 2017 MD5 is not encryption, and MD5 has not been suitable for cryptographic use since the mid-90s. PHP has several built-in functions specifically for storing and verifying passwords: http://php.net/manual/en/ref.password.php If that function is returning false then it sounds like the username and password values don't match what is in the database. You can try to print those values out and verify what is in the database to make sure they match, but it sounds like they don't. Link to comment Share on other sites More sharing options...
Gabrielphp Posted August 30, 2017 Share Posted August 30, 2017 Try using fetchAll() instead of fetch(). Link to comment Share on other sites More sharing options...
justsomeguy Posted August 30, 2017 Share Posted August 30, 2017 That wouldn't affect anything, it only returns 1 row. Although I have seen a recent MySQL bug where COUNT(*) was returning 0 even when there were matching rows. But there's still plenty of verification to do here before deciding it's a bug in MySQL. Link to comment Share on other sites More sharing options...
Fabio Posted August 31, 2017 Author Share Posted August 31, 2017 Hi, I tried with fetchAll() and it works. Now, I am going to change the code about password cryptography Thank you Link to comment Share on other sites More sharing options...
justsomeguy Posted August 31, 2017 Share Posted August 31, 2017 You might want to double-check that before deciding that using fetchAll works. Enter a username and an incorrect password and see whether using fetchAll with the same code lets you log in with the wrong password. Link to comment Share on other sites More sharing options...
Gabrielphp Posted September 3, 2017 Share Posted September 3, 2017 On 8/31/2017 at 8:32 PM, justsomeguy said: You might want to double-check that before deciding that using fetchAll works. Enter a username and an incorrect password and see whether using fetchAll with the same code lets you log in with the wrong password. It shouldn't let him log in as long as there is no other user with the same "Matricola" as in his SQL, i'm using fetchAll myself and i intentionally created another username with the same password as my other username and it won't log me in. Link to comment Share on other sites More sharing options...
justsomeguy Posted September 5, 2017 Share Posted September 5, 2017 I suppose it depends how PHP decides to cast an array to an integer, because without changing any other code, now this: $row = $s -> fetchAll(); if ($row[0] > 0) is testing whether the array that contains the count is greater than 0. That test doesn't make sense, just switching to fetchAll and making no other changes is not correct. If you're expecting a single record with a single column - the count - then use fetch and check the first column like he did. That's the correct thing to do. Using fetchAll on a query that will only ever return one record isn't the right tool for the job. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now