-3

Im having a trouble with a PHP Login form.

When Username + Password is Correct everything works fine , but when its incorrect it gives an error :

Notice: Trying to access array offset on value of type null in /opt/lampp/htdocs/login/process.php on line 20 Login Failed!

I know is something related with the mysqli_fetch_array but i dont know what.

PHP is last version 7.4.8

<?php
// Get values from form in login.php

$username = $_POST['user'];
$password = $_POST['password'];

// To prevent SQL injection
$username = stripcslashes($username);
$password = stripcslashes($password);
// $username = mysql_real_escape_string($username);
// $password = mysql_real_escape_string($password);

// Database Connection
$con = mysqli_connect("localhost","root","1234", "login");

// Query the Db for username
$result = mysqli_query($con, "SELECT * FROM users WHERE username = '$username' AND password = '$password'")
        or die("Fail to connect to database".mysql_error());
$row = mysqli_fetch_array($result);
if ($row['username'] == $username && $row['password'] == $password){
    echo "Login succesfull!";
} else {
    echo "Login Failed!";
}
Improve this question
6
  • or die("Fail to connect to database".mysql_error()); – a) this is not the part where you try to make the database connection, and b) you are mixing mysqli and mysql functions here (which you can’t do.) Commented Aug 28, 2020 at 7:37
  • You don't check if a row is retrieved, so when the details aren't correct $row won't contain an array. Commented Aug 28, 2020 at 7:38
  • Does this answer your question? Turning query errors to Exceptions in MySQLi Commented Aug 28, 2020 at 7:38
  • You shouldn't be storing passwords as plain text, have a read of How to use PHP's password_hash to hash and verify passwords. Also learn to use prepared statements. Commented Aug 28, 2020 at 7:39
  • 1
    // To prevent SQL injection – absolutely massively wrong what you are doing there. Go read up on how to do this properly; and then go read up on prepared statements, and use those instead. Commented Aug 28, 2020 at 7:39

2 Answers 2

Reset to default
1

The problem is because the $row variable initialised as:

$row = mysqli_fetch_array($result);

is equal to null, when no user matches the provided password and username. The quick fix is to extend the condition for successful login to include a null check:

if ($row !== null && $row['username'] == $username && $row['password'] == $password) {
    echo "Login succesfull!";
}

On a side note, know that escaping values using mysql_real_escape_string may still not be enough to prevent SQL Injection. Instead, a prepared statement with typed parameters should be used.

Also, storing passwords in a plain text is really not a good idea. It'd be recommended to implement a mechanism using e.g. the password_hash and password_verify functions.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

i will doublecheck the code anyway , thanks everybody for the suggestions !
@Southsound-dev although this solution would work, please, do consider reading about proper password handling and SQL injection prevention. The current format of your code is prone to several security attacks.
0 
$result = mysqli_query($con, "SELECT * FROM users WHERE username = '$username' AND password = '$password'")
        or die("Fail to connect to database".mysql_error());
if(mysqli_num_rows($result) > 0) {
    echo "Login succesfull!";
} else {
    echo "Login Failed!";
}
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.