If sentence doesn't work well

Asked 1 months ago, Updated 1 months ago, 4 views

We are creating a login function for EC site with PHP.
If you type the data exactly as it is in the database and press the login button,
Enter a description of the image here
Enter a description of the image here

The processing proceeds according to the if statement.
However, other patterns (username match, password mismatch)
When you type in the data and press the login button,
Enter a description of the image here
Enter a description of the image here
The process only progresses to the first if statement.

If you press the login button in another pattern, the result is similar.
(username mismatch, password matching)
Enter a description of the image here
Enter a description of the image here

(username and password mismatch)
Enter a description of the image here
Enter a description of the image here

I think the way you write if sentences is strange.
I apologize for the inconvenience, but please let me know.

Source Code
login.php

<?php
require_once('../.../include/conf/const.php');
require_once('../.../include/model/functions.php');

session_start();
$link = get_db_connect();

if(isset($_POST['login'])){
    $user=$_POST ['user'];
    $password=$_POST ['password'];
    $user_check[] = $user;
    $user_check2[] = $password;
    var_dump($user_check);
    var_dump($user_check2);
    $err_msg = [ ];
    $user_login=login_logic($link,$user,$password);
    $user_name = $user_login[0];
    $user_password=$user_login[1];
    var_dump($user_name);
    var_dump($user_password);
if($user_check[0]==$user_name&$user_check2[0]==$user_password){
    print "a";
} else if($user_check[0]!=$user_name){
    $err_msg ['user'] = 'Usernames do not match.'; 
} else if($user_check2[0]!=$user_password){
    $err_msg ['password'] = 'Passwords do not match.';
} else if($user_check[0]!=$user_name&$user_check2[0]!=$user_password){
    $err_msg ['user'] = 'Usernames do not match.'; 
    $err_msg ['password'] = 'Passwords do not match.';

}

if($user==='){
    $err_msg ['user'] = 'Please enter a username.';
}

if($password==='){
    $err_msg ['password'] = 'Please enter a password.';
}
    
if(count($err_msg)!==0){
     $_SESSION=$err_msg;
    header('Location:login.php');
    return;
    }

}

require_once('../.../include/view/login2.php');

close_db_connect($link);

login2.php

<?php

$err_msg=$_SESSION;

 $_SESSION=array();
 
 session_destroy();
?>


<!DOCTYPE html>
<html lang="ja">
<head>
   <metacharset="UTF-8">
   <title>Login</title>
   <style>
       input{
           display:block;
           margin-bottom —10px;
       }
   </style>
</head>
<body>
   <form action="login.php" method="post">
       <label for="user">Username</label>
       <input type="text" id="user" name="user" value="">
       <?php if(isset($err_msg['user']))): ?>
       <p><?phpecho$err_msg['user'];?>/p>
       <?php endif;?>
       <label for="passwd">Password</label>
       <input type="password" id="password" name="password"value="">
       <?php if(isset($err_msg['password'])) :?>
       <p><?phpecho$err_msg['password'];?>/p>
       <?php endif;?>
       <input type="submit" name="login" value="login">
   </form>

 <a href='../../mvc/userinsert.php'>User Registration Page</a>
</body>
</html>

functions.php

 function login_logic($link,$user,$password){
    $sql='SELECT user, password FROM user_tb where user=\'.$user.'\'AND password=\'.$password.'\';
    $data=[];
    if($result=mysqli_query($link,$sql))}
        while($row=mysqli_fetch_array($result)){
            $data=$row;
           var_dump($data);
        }
    } else{
        $err_msg[] = 'Failed to extract data';
        return$err_msg;
    }
    return$data;
    
}

php

2022-09-30 11:04

1 Answers

It's not that the if statement is written incorrectly, but that you don't understand the specifications of the login_logic function.

The login_logic function returns data in an array if both username and password match.
If it doesn't match, I won't return anything.

The meaning of SQL below returns data that matches both the username and password.
It doesn't matter if only one of them matches.

$sql='SELECT user, password FROM user_tb where user=\'.$user.'\'AND password=\'.$password.'\';

Then, how can I get back the case where only one side matches, but I don't need it.

Let's take a look at the login of another site.If only the password is correct, do you decide whether it matches or not?Please refer to it.

When making a login decision, the important thing is whether the username and password match, and no other matching information is required.
Rather, it can be a security NG.

So basically, when there's an error, it's OK to just send a message that says, "The login information is different" or "Couldn't log in."

Security reasons are
If only the passwords match, then only the passwords of other people can be hit by a list attack.The same goes for the username.
If both matches are determined, the risk of matching even if you win a round-robin match will be much lower.


2022-09-30 11:04

If you have any answers or tips


© 2022 OneMinuteCode. All rights reserved.