[putha-nee]

Hey all,

I am having a problem with understanding how to authenticate based on database entries.

I have a login page, and a database page which is able to access my database properly. However, I have entries in the database with username and passwords which I am trying to authenticate for, but can't get my hand around how. Here is the authentication php so far. I am getting the username and password entered, but again, don't understand how to put together the if statement in which if the username and password entered by the user are the username and password int he database table, then do something.

<?php
		
	//runs the PDO access code from database.php
	require 'database.php';

	//checks to see if login form was submitted and if so, executes if statement
	if(isset($_GET['submitCredentialsBtn']))
	{
		
		//get the data from the Login.php form
		$userID=$_GET['user'];
		$passwordID=$_GET['password'];
	}

        //queries gautad table to retreive all records
	$query = "Select * FROM table1 where student_id=$userID AND password=$passwordID";
	
	// $users creates the result set
	$users = $db->query($query);

        if ( //this is where i'm lost)
        {
        }
?>

[e_i_pi]

Well, if the student_id and password pair exist in the database, then your query will return a row of data, otherwise it will return no rows of data.

Your database.php file looks like it will contain the class that gets instantiated as $db. It would help if you could post the contents of the database.php file (without the database username and password of course).

Also, if you're matching password in the database with straight text (i.e. - text input directly from a $_GET variable) then you and your users are open to attack. Passwords should always be encrypted. Also, passing over username and password via $_GET is a bad idea - using $_POST is much more secure.

[putha-nee]

The database.php file is below. It just contains the PDO object.

I understand that if the username and password exist, a result will be obtained, but how would i test for this in a if statement.

if {result is in the table}

{ do something |

if { the results aren't in the table }

{do something}


And this is an assign so the prof says to use get, moreso for understanding the general concept of things right now.

<?php

	//data source name
	$dsn= 'mysql:host=localhost;dbname=itec3020';
	//username to access database
	$username='test';
	//passwrod to access database
	$password='test';

	try 
	{
		//creates PDO object
		$db= new PDO($dsn, $username, $password);

	}
	catch (PDOException $e)
	{
		//statement handles the exception
		$error_message = $e->getMessage();
		include('database_error.php');
		exit();
	}
	
?>

This post has been edited by putha-nee: 08 December 2011 - 02:00 PM

[e_i_pi]

Ah, you're using PDOs, good. When you use $db->query, it returns a PDOStatement object. According to the manual, PDOStatement->fetch() returns false when there is no result set, so we can use this to our advantage:

<?php
	// $users creates the result set
	$users = $db->query($query);
	$row_data = $users->fetch();
        if($row_data)
        {
		// user was authenticated, user data is stored in $row_data as PDO::FETCH_BOTH array	
        } else {
		// user could not be authenticated
	}
?>

[putha-nee]

For some reason, I keep getting an error here saying Fatal error: Call to a member function fetch() on a non-object in [file_path] on line 37

 $row_data = $users->fetch();

This post has been edited by putha-nee: 08 December 2011 - 02:40 PM

[Dormilich]

putha-nee, on 08 December 2011 - 09:59 PM, said:

I understand that if the username and password exist, a result will be obtained, but how would i test for this in a if statement.

for a login that is not necessary to test this way. as I explained here you can return the number of rows by using MySQL’s COUNT() function (fetch it with PDOStatement->fetchColumn())

[putha-nee]

I still get the same error saying i am calling a member function on a non-object...

[Dormilich]

what is the code giving that error?

[putha-nee]

Dormilich, on 08 December 2011 - 02:55 PM, said:

what is the code giving that error?

For now, I have it like this, and its giving me an error on the last line when i run it which I don't understand because $users should be an object at the point that i fetch it.

			$query = "SELECT * FROM table1 WHERE student_id=$userID AND password=$passwordID";
			// $users creates the result set
			$users = $db->query($query);
			$users = $users->fetch();

This post has been edited by putha-nee: 08 December 2011 - 02:57 PM

[Dormilich]

should, but it does not need to be.

Quote

Return Values

PDO::query() returns a PDOStatement object, or FALSE on failure.

add

$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

after the PDO instantiation

This post has been edited by Dormilich: 08 December 2011 - 03:29 PM

[putha-nee]

After doing what you just suggested, I got another error:

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42S22]: Column not found: 1054 Unknown column '$userIDs' in 'where clause'' in C:\xampp\htdocs\assign3\AuthLogin.php:34 Stack trace: #0 [file]: PDO->query('SELECT * FROM g...') #1 {main} thrown in [file] on line 34

This post has been edited by putha-nee: 08 December 2011 - 03:47 PM

[Dormilich]

the error indicates that your query fails. to verify you just can use var_dump($users);. if you set error handling to exceptions, PDO would have thrown the appropriate error.

[putha-nee]

Okay, so I just ran the vardump code you mentioned, and it returned bool(false) which I assume implies or confirms that the query is returning false.

So I changed the query to just SELECT * FROM table1; and the vardump return an object. So the error has to do with checking the username and password which I am getting from the login page with the following:

if(isset($_GET['submitCredentialsBtn']))
	{
		
		//get the data from the Login.php form
		$userIDs=$_GET['user'];
		$passwordIDs=$_GET['password'];
	}

and the original query which returned false was

SELECT * FROM gautad WHERE student_id=$userIDs AND password=$passwordIDs

Do you perhaps see an issue which I am missing

This post has been edited by putha-nee: 08 December 2011 - 04:06 PM

[Dormilich]

hm, if there is no result, why should it return an object?

that’s why I said you should return the number of matching rows. this way you have a result in any way.

EDIT: you need to quote string values … Prepared Statements on the other hand side are easier and way more secure in that regard.

This post has been edited by Dormilich: 08 December 2011 - 04:09 PM

[putha-nee]

FINALLY!!

Yeah, I quoted the strings literally RIGHT BEFORE you posted mate and that resolved thing issue!

Thanks a ton guys

The var_dump and rowCount() are two methods I will never forget!!!

Hours of stupid troubleshooting now worth while!

This post has been edited by putha-nee: 08 December 2011 - 04:14 PM