How do I get my select statement to work ?

Question

0.00/5 (No votes)

See more:

Please i need only a small assistance, i do not understand why my select statement does not work, i can login even with invalid login credentials. i hashed my password on the registration page .
$Query = "SELECT *password FROM users WHERE username = ?";
$statement = $conn->prepare($Query);
$statement->bindValue(':username', $username);
$statement->execute();
$user = $statement->fetch(PDO::FETCH_ASSOC);
$RowCount = $statement->rowCount();

} catch (PDOerrorInfo $e){

die('QuerySCD Error '.$e->getMessage());

}
this is the code i used to hash my password

$password =password_hash($_POST['password'], PASSWORD_DEFAULT);

What I have tried:

code altercation, i checked tutorials

Posted 20-Oct-20 20:36pm

gavin_daCEO

Updated 20-Oct-20 22:48pm

Add a Solution

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard MacCutchan · Answer 1 · 2020-10-20T21:32:00

Solution 1

SQL

$Query = "SELECT *password FROM users WHERE username = ?";

Why is there an asterisk in front of password?

Posted 20-Oct-20 21:32pm

Richard MacCutchan

Comments

gavin_daCEO 21-Oct-20 4:34am

To tell the code and made some adjustments so the asterisk was there and i did not alter the query statement.

gavin_daCEO 21-Oct-20 4:37am

i deleted the asterisk but the error still persists

Richard MacCutchan 21-Oct-20 4:55am

What error? Please provide proper complete details of your problem.

gavin_daCEO 21-Oct-20 5:20am

i was able to login with invalid login credentials but then after deleting the asterik and the cache on my computer it works, the only problem that just started is that even when i provide valid login credentials it does not work. Let me check my codes if i am missing something and also if you have any suggestion please suggest them

Richard MacCutchan 21-Oct-20 5:31am

When we ask for complete details of the problem, saying "it does not work" tells us nothing about what or where the problem may be.

Chris Copeland · Answer 2 · 2020-10-20T22:48:00

Solution 2

First, how come you're using username = ? but then trying to bindValue(':username', $username);? I would expect you to use bindValue(1, $username); because there's no named parameter in your query.

Second, if the issue is that it's allowing you to login regardless of which password you enter, you've omitted the part of the code which checks whether the password is correct. All the code that you've provided does is get any matching users, and get the row count, and that's all it does? I would expect to see some code which checks if the row count is one, and compares the submitted and stored passwords.

Posted 20-Oct-20 22:48pm

Chris Copeland

Comments

gavin_daCEO 21-Oct-20 5:23am

this is the complete code for the login page

if($_SERVER['REQUEST_METHOD'] == 'POST'){

$username = trim($_POST['username']);

try{

$Query = "SELECT * password FROM users WHERE username = :username";
$statement = $conn->prepare($Query);
$statement->bindValue(':username', $username);
$statement->execute();
$user = $statement->fetch(PDO::FETCH_ASSOC);
$RowCount = $statement->rowCount();

} catch (PDOerrorInfo $e){

die('QuerySCD Error '.$e->getMessage());

}

if( $RowCount == 0 ){

$_SESSION['message'] = "error!";

$message = "Invalid login credentials";

} else{ // User exists

if( password_verify($_POST['password'], $user['password'])){

$_SESSION['username'] = $user['username'];
$_SESSION['active'] = $user['active'];

$_SESSION['logged_in'] = true;

header("location: studentportal.php?onions=no&pickles=yes");

} else {

$_SESSION['message'] = "error!";
//header("location: error-login.php");
$message = "Invalid login credentials";

}
}
}

$conn = NULL;