Member Avatar for cosmo13

Hey there! I don't know why "Your Password is Incorrect!" is printed before I fillin the form. I've started learning php two weeks ago

<!DOCTYPE html>
<html>
    <head>
    </head>
    <body>

<form action = "" method="POST">

        <label id="first"> Name: </label><br/>
        <input type="text" name="username" placeholder= "Name" required><br/>

        <label id="first">Password: </label><br/>
        <input type="password" name="password" required><br/>

        <input type="submit" name= "submit" value="Sign in">
        </form>

    </body>
</html>
<?php
     require('p.php');   
    if(isset($_POST['submit'])){
      if(isset($_POST['username']) && isset($_POST['password'])){

        $username = $_POST['username'];
        $password = $_POST['password'];

    $sql = "SELECT * FROM mydatab.form WHERE name='$username' AND passw='$password' limit 1";
    $result = mysqli_query($conn, $sql) or trigger_error(mysqli_error($conn), E_USER_ERROR) ;

    if(mysqli_num_rows($result) === 1){
        echo " You Have Successfully Logged in";
    }
    else{
        echo " Your Password is Incorrect!";
    } }
    mysqli_close($conn);
}
?>
  • 4 Contributors
  • 9 Replies
  • 176 Views
  • 3 Days Discussion Span
  • Latest Post Latest Post by Biiim
Member Avatar for rproffitt

Which line do you feel is failing?

I'd print the result out as noted at https://www.w3schools.com/php/func_mysqli_num_rows.asp to see what is going on. It could be correct behavior if there is more than one match in the database.

Beyond that this code appears to store passwords in a database (never do that!) and looks to be exploitable with injections.
That's two big strikes against this code and if it was submitted at work or in a classroom it would be rejected then we begin again to discuss both of those topics.

commented: I tried the code from the link and it works fine. +0
Member Avatar for Dani

Are you saying it gives the error message even if you are not intending to submit the form but rather just load the page to display the form to fill out?

What are the contents of the p.php file?

commented: p.php file creates connection to database and checks it +0
Member Avatar for cosmo13 
<?php
     require('p.php');   


    $sql="SELECT name,passw FROM mydatab.form ORDER BY name";

    if ($result=mysqli_query($conn,$sql))
      {
      // Return the number of rows in result set
      $rowcount=mysqli_num_rows($result);
      printf("Result set has %d rows.\n",$rowcount);
      // Free result set
      mysqli_free_result($result);
      }


    mysqli_close($conn);

?>

It prints: Result set has 18 rows.

Member Avatar for rproffitt

18 rows would indeed cause the origianal top post to do the password is incorrect if that was the result.
But we want to see the number of rows at line 30 in your original code (top post.)

commented: No sorry it prints 18 rows +0
Member Avatar for Biiim

My guess on it saying "Your Password is Incorrect!" is that when you refresh a page that has been "post"ed to it will ask if you want to confirm resubmitting the form data, if you say yes it will send the post data again.

Otherwise based on your code it means that isset($_POST['submit']) is evaluating to true, isset($_POST['username']) && isset($_POST['password']) is evaluating to true and mysqli_num_rows($result) === 1 is evaluating to false.

Try adding var_dumps to detect it:

<?php
var_dump($_POST);
require('p.php');
if(isset($_POST['submit'])){
    echo 'submit exists';
    if(isset($_POST['username']) && isset($_POST['password'])){
        echo 'username & password exists';
        $username = $_POST['username'];
        $password = $_POST['password'];

        $sql = "SELECT * FROM mydatab.form WHERE name='$username' AND passw='$password' limit 1";
        $result = mysqli_query($conn, $sql) or trigger_error(mysqli_error($conn), E_USER_ERROR) ;

        if(mysqli_num_rows($result) === 1){
            echo "1 row";
            echo " You Have Successfully Logged in";
        }else{
            echo " Your Password is Incorrect!";
            echo "not exactly 1 row: ".var_dump(mysqli_num_rows($result));
        }
    }
    mysqli_close($conn);
}
echo "end";
?>
commented: Excellent advice. Time to see what is in those variables. +15
commented: I tried your code and it prints: array(3) { ["username"]=> string(4) "Eric" ["password"]=> string(4) "1234" ["submit"]=> string(7) "Sign in" } submit +0
Member Avatar for cosmo13

I tried the code using var_dumps and it prints:
array(3) { ["username"]=> string(4) "Eric" ["password"]=> string(4) "1234" ["submit"]=> string(7) "Sign in" } submit existsusername & password exists Your Password is Incorrect!int(0) not exactly 1 row: end
But I can't see how this helps me to fix the problem.

commented: What if Eric has 18 entries in the database? Next thing to check. +15
commented: That code tells me that mysqli_num_rows() is returning 0. So your username and password do not match to an entry in the database. +8
Member Avatar for Biiim

I tried the code using var_dumps and it prints:
array(3) { ["username"]=> string(4) "Eric" ["password"]=> string(4) "1234" ["submit"]=> string(7) "Sign in" } submit existsusername & password exists Your Password is Incorrect!int(0) not exactly 1 row: end

So if you follow the print outs it tells you that it is getting to here if(mysqli_num_rows($result) === 1){ and is evaulating to false because mysqli_num_rows($result) is an integer of 0.

This means $sql = "SELECT * FROM mydatab.form WHERE name='$username' AND passw='$password' limit 1"; is not finding any rows in the database.

What about doing $sql = "SELECT * FROM mydatab.form WHERE name='{$username}' AND passw='{$password}' limit 1"; I usually put curly brackets around php variables in strings so i'm not sure if it will translate the variable without curly brackets around them

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.