I keep running into the error where PHP says "We're sorry we can't log you in." according to one of my conditions set even if login is correct and hence my Prepared system to avoid SQL injection fails.
So my code goes like this:
global $connected;
$post = filter_var_array($_POST, FILTER_SANITIZE_STRING);
$pwwd = $post['password'];
$usrn = $post['username'];
$usrn = mysqli_real_escape_string($connected, $usrn);
$pwwd = mysqli_real_escape_string($connected, $pwwd);
if (strlen($usrn) != 0 && strlen($pwwd) != 0 && !empty($post)) {
$usrn = stripslashes($usrn);
$pwwd = stripslashes($pwwd);
$hashFormat = '$2ysomenumber$';
$salt = 'somehashobviously';
$hashF_and_salt = $hashFormat.$salt;
$pwwd = crypt($pwwd, $hashF_and_salt);
if (!mysqli_connect_errno()) {
mysqli_select_db($connected, 'someDbname') or die('Database select error');
} else {
die('Failed to connect to PHPMyAdmin').mysqli_connect_error();
}
$query = "SELECT Username, Password FROM users WHERE Username=? AND Password=?";
$stmt = mysqli_stmt_init($connected);
if (mysqli_stmt_prepare($stmt, $query)) {
//Some error in here somewhere
mysqli_stmt_bind_param($stmt, "ss", $usrn, $pwwd);
mysqli_stmt_execute($stmt);
mysqli_stmt_fetch($stmt);
mysqli_stmt_bind_result($stmt, $check_usrn, $check_pwd);
if (strcasecmp($usrn, $check_usrn) == 0) {
if ($pwwd == $check_pwd) {
echo '<h1 class="text-center">Matches</h1>';
print_r($row);
}
} else {
echo "<h1 class=text-center>We're sorry we can't log you in.</h1>";
}
}
} else { //This is for strlen boolean cond
echo "<h1 class='text-center'>Both fields must not be empty. </h1>";
}
I used to use a login page without prepared statements which was working, but I realised I need to do this for better security. My database is working fine so the problem is near where I added the comment "//Some error in here somewhere".
I am a relatively new PHP programmer that is yet a first year student trying daring new things in the holidays! Will openly read all the help I get, thank you!
