PHP Mysql Error?

Question

I want to log in a User on a website with php. The below alert is not working:

else {
    echo 'You must Enter Your Pass';
}

The below code works when required fields are empty, but if the password is correct or not, the alert is not working.

<?php
require 'core.inc.php';
if(isset($_POST['email1']) && isset($_POST['sifre1'])){
  $username=$_POST['email1'];
  $password=$_POST['sifre1'];
  if(!empty($username) && !empty($password)){
    $query="SELECT e-mail,sifre FROM Kullanıcı WHERE e-mail='$username' AND sifre='$password'";
    echo mysql_error();

    if($query_run=mysql_query($query)){
      echo 'Invalid13';
      $query_num_rows = mysql_num_rows($query_run); 
      if($query_num_rows==0) {
        echo 'Invalid';
      } else {
        echo 'OK';
      }     
    }
  } else {
    echo 'You must Enter Your Pass';
  }
}
?>

Answer 1

Part of your problem comes from a lack of separation of concerns.

Lets see your basic algorithm:

• Check that the needed info to log in a user is there.
  • If it is, query the database for that user and password.
    • If they match, return a SUCCESS
    • Otherwise return a FAILURE: INVALID
  • If information is missing, return a FAILURE: MISSING INFO

Let's try and implement that in code.

require 'core.inc.php';

//Takes in a $_POST object and returns a string
function log_in_user($post_object) {//Note that using global variables is problematic, so lets pass it as a param
  $username = null;
  $password = null;
  //One at a time lets get the needed info
  if (isset($post_object['email1']) && !empty($post_object['email1'])) {
    $username = $post_object['email1']
  }
  if (isset($post_object['sifre1']) && !empty($post_object['sifre1'])) {
    $password = $post_object['sifre1']
  }

  //Handle the case where we don't have the correct info
  if (is_null($username)) {
    return "You must enter a username."
  }
  if (is_null($password){
    return "You must enter a password."
  }

  //If the function hasn't returned by this point, we validate the credentials.
  return validate_credentials($username, $password);//pass through the result
}

//Put this in a separate function for cleanliness and so you can handle
//the changes you NEED to make to how you access the db w/o affecting the rest
function validate_credentials($username, password) {
  $query="SELECT e-mail,sifre FROM Kullanıcı WHERE e-mail='$username' AND sifre='$password'";
  //Get a connection to your database. The details below will change.
  //db_username and db_password are the credentials to your database, not the user.
  $db = new PDO('mysql:host=localhost;dbname=testdb;charset=utf8', 'db_username', 'db_password');

  try {
    $stmt = $db->query($query);//Sets up your query
    $results = $stmt->fetchAll(PDO::FETCH_ASSOC);
    if (count($results) == 1) {
      return "OK";
    } else {
      return "Invalid credentials";
    }
  } catch(PDOException $ex) {
    return "An error occurred trying to reach the database. Try again later."; 
  }
}

//Now actually execute the login function
echo log_in_user($_POST);

So, as you can see, breaking your code into functions will allow you to clarify the issues you're seeing. The first function validates your inputs: your initial problem is essentially one of validation. Did the user send through a password? The second function handles the concern of actually validating a set of credentials against the database. With the second function you can test different cases:

validate_credentials("good_username","awesome_password");//should exist in db to work. Will return "OK"
validate_credentials("bad_username","terrible_password");//should NOT exist in the db. Will return "Invalid credentials"

Caveat: None of this code is tested, it's merely an example of how you might do this.