Problem to return invalid email message and invalid password

Asked

Viewed 365 times

0

Good night,

I am learning PHP PDO, and I am creating a basic system, where I have the login page to check if the user exists, if it exists it redirects to the index page where creates a session. until that point is ok, my problem is when you put wrong password or wrong email, I made a condition to check but it is not working, when I put the wrong password shows the wrong password message but when I put the wrong email it shows the same wrong password message, someone could give me a light please I’m already about three days into it and I can’t get out of the login page.

follows the code:

 <?php  

session_start();
include "conexao.php";
$cliente_email=$_POST['cliente_email'];
$cliente_senha=$_POST['cliente_senha'];

$pdo=conectar();


    $buscar_cliente=$pdo->prepare("SELECT * FROM usuarios WHERE EMAIL_USUARIO=:email AND SENHA_USUARIO=:senha");
    $buscar_cliente->bindValue(":email",$cliente_email);
    $buscar_cliente->bindValue(":senha",$cliente_senha);
    $buscar_cliente->execute();
    $validar_cliente = $buscar_cliente->fetch(PDO::FETCH_ASSOC);


    if($cliente_email == $validar_cliente['EMAIL_USUARIO'] AND $cliente_senha == $validar_cliente['SENHA_USUARIO']):

          $_SESSION['EMAIL_USUARIO'] = $cliente_email;
          $_SESSION['SENHA_USUARIO'] = $cliente_senha;
          header('location:index.php');


    else:

        if($validar_cliente['EMAIL_USUARIO'] = 0 ):
                unset($_SESSION['EMAIL_USUARIO']);
                unset($_SESSION['SENHA_USUARIO']);
                header('location:login.php?area=naoemail');



        else:

            unset($_SESSION['EMAIL_USUARIO']);
            unset($_SESSION['SENHA_USUARIO']);
            header('location:login.php?area=naosenha');
        endif;
    endif;

?>

thank you in advance.

php

  • Do the following, put a var_dump($validar_client) below $validar_client = .. , and checks if $validar_client['EMAIL_USUARIO'] is actually coming with the value 0

2 answers

0

What is happening is this, when passing a wrong email or user, the same will not exist in the database, so there will be no data in $validar_cliente, so the comparisons don’t work, to fix, check if there is something in the query, or give the error.

For convenience and security reasons, it is not a good practice to return to the user if they missed the email or password, as it may make life easier for an attacker.

To resolve, without identifying if it was the password or the email:

<?php  

session_start();
include "conexao.php";
$cliente_email=$_POST['cliente_email'];
$cliente_senha=$_POST['cliente_senha'];

$pdo=conectar();


$buscar_cliente=$pdo->prepare("SELECT * FROM usuarios WHERE EMAIL_USUARIO=:email AND SENHA_USUARIO=:senha");
$buscar_cliente->bindValue(":email",$cliente_email);
$buscar_cliente->bindValue(":senha",$cliente_senha);
$buscar_cliente->execute();
$validar_cliente = $buscar_cliente->fetch(PDO::FETCH_ASSOC);
$quantidade_cliente = count(validar_cliente);

if($validar_cliente):

      $_SESSION['EMAIL_USUARIO'] = $cliente_email;
      $_SESSION['SENHA_USUARIO'] = $cliente_senha;
      header('location:index.php');


else:

        unset($_SESSION['EMAIL_USUARIO']);
        unset($_SESSION['SENHA_USUARIO']);
        header('location:login.php?area=loginerrado');

endif;

?>

Now, to know if it was the password or the email, you need to do a few more things:

<?php  

session_start();
include "conexao.php";
$cliente_email=$_POST['cliente_email'];
$cliente_senha=$_POST['cliente_senha'];

$pdo=conectar();


$buscar_cliente=$pdo->prepare("SELECT * FROM usuarios WHERE EMAIL_USUARIO=:email AND SENHA_USUARIO=:senha");
$buscar_cliente->bindValue(":email",$cliente_email);
$buscar_cliente->bindValue(":senha",$cliente_senha);
$buscar_cliente->execute();
$validar_cliente = $buscar_cliente->fetch(PDO::FETCH_ASSOC);

if($validar_cliente):

      $_SESSION['EMAIL_USUARIO'] = $cliente_email;
      $_SESSION['SENHA_USUARIO'] = $cliente_senha;
      header('location:index.php');


else:
        $buscar_erro=$pdo->prepare("SELECT * FROM usuarios WHERE EMAIL_USUARIO=:email OR SENHA_USUARIO=:senha");
        $buscar_erro->bindValue(":email",$cliente_email);
        $buscar_erro->bindValue(":senha",$cliente_senha);
        $buscar_erro->execute();
        $validar_erro = $buscar_erro->fetch(PDO::FETCH_ASSOC);

        $rs = '';
        foreach($validar_erro as $erro){
            if($erro['EMAIL_USUARIO'] != $cliente_email){
                $rs = 'email';
                break;
            }elseif($erro['SENHA_USUARIO'] != $cliente_senha){
                $rs = 'senha';
                break;
            }else{
                $rs = 'nenhum';
                break;
            }
        }


        if($rs == 'senha'){

            unset($_SESSION['EMAIL_USUARIO']);
            unset($_SESSION['SENHA_USUARIO']);
            header('location:login.php?area=senha');
        }elseif($rs == 'email'){

            unset($_SESSION['EMAIL_USUARIO']);
            unset($_SESSION['SENHA_USUARIO']);
            header('location:login.php?area=email');
        }elseif($rs == 'nenhum'){

            unset($_SESSION['EMAIL_USUARIO']);
            unset($_SESSION['SENHA_USUARIO']);
            header('location:login.php?area=loginerrado');
        }else{

            unset($_SESSION['EMAIL_USUARIO']);
            unset($_SESSION['SENHA_USUARIO']);
            header('location:login.php?area=naoidentificado');
        }

endif;

?>

I even tried to think of a better solution to this option, but unfortunately now I could not think of anything.

  • I used this correction so he only played for the naoidentificado page I saw that he was looking for equality == I switched to != when I place the wrong email it shows the invalid email message but when I place an existing email and a wrong password appears the same message

  • @karlosFist gives a var_dump($validar_client) before if to compare password and email, and puts the result in your question

  • eu usei três var_dump,&#xA;var_dump($validar_cliente);&#xA;var_dump($validar_cliente['EMAIL_USUARIO']);&#xA;var_dump($validar_cliente['SENHA_USUARIO']);&#xA; e me retornou&#xA;C:\wamp64\www\Projeto001.01\sessao.php:18:boolean false&#xA;C:\wamp64\www\Projeto001.01\sessao.php:19:null C: wamp64 www Project001.01 session.php:20:null

  • All right, I know the problem, I’ll update the answer.

  • now whatever password or email I put it plays for the index and creates session, even for data not registered in the database

  • see if a number is coming in $quantity_client or something else, comments here

  • is returned 1, for which want email I put returns 1

  • i realized that where you look for the error is like $validar_error = $buscar_client->fetch(PDO::FETCH_ASSOC); however even changing to $validar_error = $buscar_error->fetch(PDO::FETCH_ASSOC); still continues the same way, also tried to change the line if($quantidade_client == 1): for $cliente_email == $validar_client['EMAIL_USUARIO'] AND $cliente_password == $validar_client['SENHA_USUARIO']

  • give a var dump in validar_client, but without putting the names, just put var_dump($validar_client), the problem is in this guy

  • when I use a valid email and password returns an array with the data, when I place an email or password that does not exist returns false

  • Give a look at the second example agr

  • if I put an email that exists with a password that does not exist give an error in php Warning: Illegal string offset 'EMAIL_USUARIO' in C: wamp64 www Project001.01 session.php on line 33 now if I put an email that does not exist it jumps to the last Else

  • Put the breaks the same ta there, ta going from little to little pq n having where to test now, what has on the line 33 ?

Show 8 more comments

0


People I managed to solve, after several different attempts I found out where my mistake was. I would not stop the loop after it finished the execution, so it continued even if it validated the if, it was only necessary to put a break that it stops, it follows my corrected code.

session_start(); include "connection.php"; $cliente_email=Trim($_POST['cliente_email']); $cliente_password=$_POST['cliente_password'];

$Pdo=connect();

$buscar_cliente=$pdo->prepare("SELECT * FROM usuarios WHERE EMAIL_USUARIO=:email");
$buscar_cliente->bindValue(":email",$cliente_email);
$buscar_cliente->execute();
$validar_cliente = $buscar_cliente->fetch(PDO::FETCH_ASSOC);



if($cliente_email != $validar_cliente['EMAIL_USUARIO']):


        unset($_SESSION['EMAIL_USUARIO']);
        unset($_SESSION['SENHA_USUARIO']);
        header('location:login.php?area=naoemail'); 
        break;

else:

    $email_valido = $validar_cliente['EMAIL_USUARIO'];

endif;

var_dump($email_valido);

$buscar_cliente_senha=$pdo->prepare("SELECT * FROM usuarios WHERE EMAIL_USUARIO=:email");
$buscar_cliente_senha->bindValue(":email",$cliente_email);
$buscar_cliente_senha->execute();
$validar_cliente_senha = $buscar_cliente_senha->fetch(PDO::FETCH_ASSOC);
$senha_valida = $validar_cliente_senha["SENHA_USUARIO"];

var_dump($senha_valida);
var_dump($cliente_senha);

if ($senha_valida != $cliente_senha):
     unset($_SESSION['EMAIL_USUARIO']);
    unset($_SESSION['SENHA_USUARIO']);
    header('location:login.php?area=naosenha');
    break;
else:

    $_SESSION['EMAIL_USUARIO'] = $email_valido;
    $_SESSION['SENHA_USUARIO'] = $senha_valida;
    header('location:index.php');




endif;

this is different from what I did but tested on the first and worked out too, now when I put an email that does not exist it gives me the invalid email message, and when I put a valid email and a invalid password it returns the invalid password message.

Thank you so much for the vlw same personal help and a good night. ps. Now I can sleep whispered.

Browser other questions tagged php

You are not signed in. Login or sign up in order to post.