PHP Login nouser

Question

Im making a login system for my website, in newer to php coding and when i press my login button it sends me with the "login.php?error=nouser" in the url when my email is in my database, im not sure if i messed up with some code or something needs to be moved around or not. I am new to php and dont have a eye good enough to spot some of these problems.

<?php

if (isset($_POST['login-submit'])) {
    require 'dbh.inc.php';

    $emailuid = $_POST['emailuid'];
    $password = $_POST['pwduid'];

    if (empty($emailuid) || empty($password)) {
        header("Location: ../login.php?error=emptyfields&emailuid=".$emailuid);
        exit();
    } else {
        $sql = "SELECT * FROM users WHERE emailUsers=?";
        $stmt = mysqli_stmt_init($conn);
        if (!mysqli_stmt_prepare($stmt, $sql)) {
            header("Location: ../login.php?error=sqlerror");
            exit();
        } else {
            mysqli_stmt_bind_param($stmt, "ss", $emailuid, $emailuid);
            mysqli_stmt_execute($stmt);
            $result = mysqli_stmt_get_result($stmt);
            if ($row = mysqli_fetch_assoc($result)) {
                $pwdCheck = password_verify($password, $row['pwdUsers']);
                if ($pwdCheck == flase) {
                    header("Location: ../login.php?error=wrongpassword");
                    exit();
                } elseif ($pwdCheck == true) {
                    session_start();
                    $_SESSION['userId'] = $row['idUsers'];
                    $_SESSION['userfnId'] = $row['fnidUsers'];
                    $_SESSION['userlnId'] = $row['lnidUsers'];

                    header("Location: ../login.php?login=success");
                    exit();
                } else {
                    header("Location: ../login.php?error=wrongpassword");
                    exit();
                }
            } else {
                header("Location: ../login.php?error=nouser");
                exit();
            }
        }
    }
} else {
    header("Location: ../login.php");
    exit();
}

Any type of help is appreciated, im learning how this all works. thanks for the understanding.

[How to enable MySQLi exception mode?](https://stackoverflow.com/questions/14578243/turning-query-errors-to-exceptions-in-mysqli) — Dharman, Jan 24 '19 at 22:07
It is so nice to see someone actually follow proper coding practices. However I would recommend not to include any user supplied data in your `header()` calls. This could be abused. — Dharman, Jan 24 '19 at 22:10
Also you said if ($pwdCheck == **flase**). You prabably want it to say false. ;) — , Jan 24 '19 at 22:21

Alex Howansky · Accepted Answer · 2019-01-24T22:11:58.393

3

You've only specified one placeholder in your query:

$sql = "SELECT * FROM users WHERE emailUsers=?";

But you've tried to bind two parameters:

mysqli_stmt_bind_param($stmt, "ss", $emailuid, $emailuid);

You probably just want this:

mysqli_stmt_bind_param($stmt, "s", $emailuid);

Also, spelling:

if ($pwdCheck == flase) {

Also, this makes no sense:

if ($pwdCheck == false) {
    ...
} elseif ($pwdCheck == true) {
    ...
} else {
    ...
}

Just do this:

if ($pwdCheck == false) {
    ...
} else {
    ...
}

Or better:

if (password_verify($password, $row['pwdUsers']) === true) {
    ...
} else {
    ....
}

edited Jan 24 '19 at 22:11

answered Jan 24 '19 at 22:06

Alex Howansky

50,515
8
78
98

just do this `if($pwdCheck == false)`, personally I would go with `if(!$pwdCheck)` but i'm lazy... Maybe I would use `empty` instead as that also covers entering empty data. – ArtisticPhoenix Jan 24 '19 at 23:00

PHP Login nouser

1 Answers1