When User enter Incorrect password it dosen't show any output just a blank screen coming the echo statement in else dosen't show anywhere
The both else statement dosen't show any output
Here is my code:
//session_start();
$mobile_no = $_GET[ 'txt1' ];
$password = $_GET[ 'pwd1' ];
$cn = mysqli_connect( 'localhost', 'root', '', 'brilliance' );
if ( $cn )
{
$qry = "SELECT * FROM `users` WHERE mobile_no='$mobile_no' and password='$password'";
$result = mysqli_query( $cn, $qry );
while( $row = mysqli_fetch_row( $result ) )
{
if($qry)
{
$name = $row[ 0 ];
echo '<script>
alert("Welcome '.$name.'");
</script>';
header("Location:/P1/index.htm");
}
else
{
echo 'Mobile Number or Password is Invalid';
echo '<script>
alert("Mobile Number or Password is Invalid");
</script>';
}
}
mysqli_close( $cn );
}
else
{
echo 'Error in Connection';
echo '<script>
alert("Error in Connection");
</script>';
}
?>```
CodePudding user response:
<?php
function echo_and_alert_and_die($msg)
{
echo $msg;
echo "<script> alert('$msg'); </script>";
die;
}
// *********************************************************
$cn = mysqli_connect('localhost', 'root', '', 'brilliance');
if (mysqli_connect_errno())
echo_and_alert_and_die('Error in Connection');
$mobile_no = $_GET['txt1'];
$not_hashed_password = $_GET['pwd1'];
$qry = "SELECT * FROM `users` WHERE mobile_no='$mobile_no' AND password='$not_hashed_password'";
$result = mysqli_query($cn, $qry);
if (!$result)
echo_and_alert_and_die('Select query did not work');
if (mysqli_num_rows($result) < 1)
echo_and_alert_and_die('Mobile Number or Password is Invalid');
if (mysqli_num_rows($result) > 1)
echo_and_alert_and_die('A phone number is supposed to identify one account');
$row = mysqli_fetch_row($result);
$name = $row[0];
echo_and_alert_and_die("Welcome $name");
// header("Location:/P1/index.htm"); // ??
mysqli_close($cn);
CodePudding user response:
Your structure is something that will not show the Mobile Number or Password is Invalid
part.
first, if there wasn't any record the program will not enter the while
block and will not check for the invalid number.
The second problem is about the if($qry)
query is always valid so you should check the $row
like if($row)
.
So we can structure your code this way that prevent SQL injection as well:
<?php
if (session_status() === PHP_SESSION_NONE)
session_start();
if(empty($_GET['pwd1']) OR isset($_GET['pwd1'])){
echo "Error ";
exit();
}
$mobile_no = $_GET[ 'txt1' ];
$password = $_GET[ 'pwd1' ];
try {
$mysqli = new mysqli("localhost", "root", "", "brilliance");
$mysqli->set_charset("utf8mb4");
} catch(Exception $e) {
error_log($e->getMessage());
echo 'Error in Connection';
echo '<script>
alert("Error in Connection");
</script>';
exit();
}
$query = "SELECT * FROM `users` WHERE mobile_no = ? and password = ? ";
$stmt = $mysqli->prepare($query);
$stmt->bind_param("s", $mobile_no);
$stmt->bind_param("s", $password);
$stmt->execute();
$result = $stmt->get_result();
if($result->num_rows === 0){
echo 'Mobile Number or Password is Invalid';
echo '<script>
alert("Mobile Number or Password is Invalid");
</script>';
exit();
}
//get the first row
$row = $result->fetch_assoc()
$name = $row[0];
$mysqli->close();
echo '<script>
alert("Welcome '.$name.'");
</script>';
//or handle it in php file
//header("Location:/P1/index.php?success=true&message=welocome ${$name}");
?>