Hiya,
It seems to me that if I put a condition on
mysqli_stmt_fetch($stmt);
to check if user credentials was ok enough for the data to be fetched, then the whole purpose of using the following function is defeated.
password_verify()
This is what I mean ..
function process_login_form()
{
//Query DB.
//Check if User already logined or not.
mysqli_report(MYSQLI_REPORT_ERROR|MYSQLI_REPORT_STRICT);
$conn = mysqli_connect("localhost","root","","buzz");
mysqli_connect("server","user","password","db");
$stmt = mysqli_stmt_init($conn);
$sql_count = "SELECT password FROM domains WHERE domain_email = ?";
if(!mysqli_stmt_prepare($stmt,$sql_count))
{
unset_sessions();
echo 'ERROR 1: Something went wrong. Please try again later!';
}
else
{
mysqli_stmt_bind_param($stmt,"s",$_SESSION['domain_email']);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt,$db_password);
mysqli_stmt_fetch($stmt);
if(!mysqli_stmt_fetch($stmt))
{
echo __LINE__; echo '<br>';
'ERROR 2: Fetching failed';
}
if(!password_verify(trim($_POST['password']),$db_password)) //Incorrect User Credentials.
{
echo __LINE__; echo '<br>';
mysqli_stmt_close($stmt);
mysqli_close($conn);
unset_sessions();
echo 'ERROR 3: <b>Incorrect User Credentials!</b><br>';
}
else //Correct User Credentials.
{
header('location: home_Template.php');
}
}
}
When I type wrong password, the script ends here:
if(!mysqli_stmt_fetch($stmt))
{
echo __LINE__; echo '<br>';
'ERROR 2: Fetching failed';
}
So this part prevents user logging into his account if password is wrong. Therefore, no need to check password with password_verify()
if I add a condition on mysqli_stmt_fetch()
.
So now I conclude that, if I add condition on mysqli_stmt_fetch()
then no need for me to check for passowrdcorrection with password_verify()
,
And, if I want to check for password correction with password_verify()
then no need to add condition on mysqli_stmt_fetch()
, like so:
if(!mysqli_stmt_fetch($stmt))
{
echo __LINE__; echo '<br>';
'ERROR 2: Fetching failed';
}
And I should just write like this:
mysqli_stmt_fetch($stmt)
Correct or not ?
Anyway, what is the downside of checking for password correction with
if(!mysqli_stmt_fetch($stmt))
{
echo __LINE__; echo '<br>';
'ERROR 2: Incorrect User Credentials';
}
rather than with
if(!password_verify(trim($_POST['password']),$db_password)) //Incorrect User Credentials.
{
echo __LINE__; echo '<br>';
mysqli_stmt_close($stmt);
mysqli_close($conn);
unset_sessions();
echo 'ERROR 3: <b>Incorrect User Credentials!</b><br>';
}
else //Correct User Credentials.
{
header('location: home_Template.php');
}