I fetch data from server but when user enter wrong password the else statement doesn't work-CodePudding

When User enter Incorrect password it dosen't show any output just a blank screen coming the echo statement in else dosen't show anywhere

The both else statement dosen't show any output

Here is my code:


//session_start();

$mobile_no = $_GET[ 'txt1' ];
$password = $_GET[ 'pwd1' ];

$cn = mysqli_connect( 'localhost', 'root', '', 'brilliance' );
    if ( $cn )
    {
        $qry = "SELECT * FROM `users` WHERE mobile_no='$mobile_no' and password='$password'";

        $result = mysqli_query( $cn, $qry );
        while( $row = mysqli_fetch_row( $result ) )
        {
            if($qry)
            {
                

                $name = $row[ 0 ];
                echo '<script>
                    alert("Welcome '.$name.'");
                    </script>';
                header("Location:/P1/index.htm");
            } 
            else
            {
                echo 'Mobile Number or Password is Invalid';
                echo '<script>
                    alert("Mobile Number or Password is Invalid");
                    </script>';
            }
            
        }

        mysqli_close( $cn );
    } 
    else
    {
        echo 'Error in Connection';
        echo '<script>
                alert("Error in Connection");
                </script>';

    }

?>```

CodePudding user response：

<?php
function echo_and_alert_and_die($msg)
{
    echo $msg;
    echo "<script> alert('$msg'); </script>";
    die;
}
// *********************************************************

$cn = mysqli_connect('localhost', 'root', '', 'brilliance');
if (mysqli_connect_errno())
    echo_and_alert_and_die('Error in Connection');

$mobile_no = $_GET['txt1'];
$not_hashed_password = $_GET['pwd1'];
$qry = "SELECT * FROM `users` WHERE mobile_no='$mobile_no' AND password='$not_hashed_password'";

$result = mysqli_query($cn, $qry);

if (!$result)
    echo_and_alert_and_die('Select query did not work');

if (mysqli_num_rows($result) < 1)
    echo_and_alert_and_die('Mobile Number or Password is Invalid');

if (mysqli_num_rows($result) > 1)
    echo_and_alert_and_die('A phone number is supposed to identify one account');

$row = mysqli_fetch_row($result);

$name = $row[0];
echo_and_alert_and_die("Welcome $name");
// header("Location:/P1/index.htm"); // ??

mysqli_close($cn);

CodePudding user response：

Your structure is something that will not show the Mobile Number or Password is Invalid part.

first, if there wasn't any record the program will not enter the while block and will not check for the invalid number.

The second problem is about the if($qry) query is always valid so you should check the $row like if($row).

So we can structure your code this way that prevent SQL injection as well:

<?php

if (session_status() === PHP_SESSION_NONE)
    session_start();

if(empty($_GET['pwd1']) OR isset($_GET['pwd1'])){
    echo "Error ";
    exit();
}


$mobile_no = $_GET[ 'txt1' ];
$password = $_GET[ 'pwd1' ];


try {
  $mysqli = new mysqli("localhost", "root", "", "brilliance");
  $mysqli->set_charset("utf8mb4");
} catch(Exception $e) {
  error_log($e->getMessage());
  echo 'Error in Connection';
  echo '<script>
        alert("Error in Connection");
        </script>';
  exit(); 
}

$query = "SELECT * FROM `users` WHERE mobile_no = ? and password = ? ";
$stmt = $mysqli->prepare($query);
$stmt->bind_param("s", $mobile_no);
$stmt->bind_param("s", $password);
$stmt->execute();
$result = $stmt->get_result();
if($result->num_rows === 0){
     echo 'Mobile Number or Password is Invalid';
     echo '<script>
        alert("Mobile Number or Password is Invalid");
        </script>';
     exit();
}

//get the first row
$row = $result->fetch_assoc()
$name = $row[0];

$mysqli->close();
echo '<script>
alert("Welcome '.$name.'");
</script>';
//or handle it in php file
//header("Location:/P1/index.php?success=true&message=welocome ${$name}");

?>