Problem to return invalid email message and invalid password

Question

Problem to return invalid email message and invalid password

Navigation

#1 by (0 votes)
#2 by (0 votes)

0

Good evening,

I'm learning PHP PDO, and I'm creating a basic system, where I have the login page to check if the user exists, if it exists it redirects to the index page where it creates a session. until that point it is ok, my problem is when you put the wrong password or wrong email, I made a condition to check but it is not working, when I put the wrong password it shows the wrong password message, but when I put the wrong email it shows the same wrong password message, could someone please give me a light please I'm about three days into this and I can not leave the login page.

follow the code:

 <?php  

session_start();
include "conexao.php";
$cliente_email=$_POST['cliente_email'];
$cliente_senha=$_POST['cliente_senha'];

$pdo=conectar();


    $buscar_cliente=$pdo->prepare("SELECT * FROM usuarios WHERE EMAIL_USUARIO=:email AND SENHA_USUARIO=:senha");
    $buscar_cliente->bindValue(":email",$cliente_email);
    $buscar_cliente->bindValue(":senha",$cliente_senha);
    $buscar_cliente->execute();
    $validar_cliente = $buscar_cliente->fetch(PDO::FETCH_ASSOC);


    if($cliente_email == $validar_cliente['EMAIL_USUARIO'] AND $cliente_senha == $validar_cliente['SENHA_USUARIO']):

          $_SESSION['EMAIL_USUARIO'] = $cliente_email;
          $_SESSION['SENHA_USUARIO'] = $cliente_senha;
          header('location:index.php');


    else:

        if($validar_cliente['EMAIL_USUARIO'] = 0 ):
                unset($_SESSION['EMAIL_USUARIO']);
                unset($_SESSION['SENHA_USUARIO']);
                header('location:login.php?area=naoemail');



        else:

            unset($_SESSION['EMAIL_USUARIO']);
            unset($_SESSION['SENHA_USUARIO']);
            header('location:login.php?area=naosenha');
        endif;
    endif;

?>

Thank you in advance.

php

asked by anonymous 04.07.2018 / 00:44

2 answers

0

What is happening is the following, when passing an email or wrong user, it will not exist in the database, therefore, there will be no data in $validar_cliente , so the comparisons do not work, to correct , check if something exists in the query, or give the error.

For convenience and security, it is not good practice to return the user if he or she has missed the email or password as it may make an attacker's life easier.

To resolve, without identifying the password or the email:

<?php  

session_start();
include "conexao.php";
$cliente_email=$_POST['cliente_email'];
$cliente_senha=$_POST['cliente_senha'];

$pdo=conectar();


$buscar_cliente=$pdo->prepare("SELECT * FROM usuarios WHERE EMAIL_USUARIO=:email AND SENHA_USUARIO=:senha");
$buscar_cliente->bindValue(":email",$cliente_email);
$buscar_cliente->bindValue(":senha",$cliente_senha);
$buscar_cliente->execute();
$validar_cliente = $buscar_cliente->fetch(PDO::FETCH_ASSOC);
$quantidade_cliente = count(validar_cliente);

if($validar_cliente):

      $_SESSION['EMAIL_USUARIO'] = $cliente_email;
      $_SESSION['SENHA_USUARIO'] = $cliente_senha;
      header('location:index.php');


else:

        unset($_SESSION['EMAIL_USUARIO']);
        unset($_SESSION['SENHA_USUARIO']);
        header('location:login.php?area=loginerrado');

endif;

? >

Now, to find out if it was the password or the email, you need to do a few more things:

<?php  

session_start();
include "conexao.php";
$cliente_email=$_POST['cliente_email'];
$cliente_senha=$_POST['cliente_senha'];

$pdo=conectar();


$buscar_cliente=$pdo->prepare("SELECT * FROM usuarios WHERE EMAIL_USUARIO=:email AND SENHA_USUARIO=:senha");
$buscar_cliente->bindValue(":email",$cliente_email);
$buscar_cliente->bindValue(":senha",$cliente_senha);
$buscar_cliente->execute();
$validar_cliente = $buscar_cliente->fetch(PDO::FETCH_ASSOC);

if($validar_cliente):

      $_SESSION['EMAIL_USUARIO'] = $cliente_email;
      $_SESSION['SENHA_USUARIO'] = $cliente_senha;
      header('location:index.php');


else:
        $buscar_erro=$pdo->prepare("SELECT * FROM usuarios WHERE EMAIL_USUARIO=:email OR SENHA_USUARIO=:senha");
        $buscar_erro->bindValue(":email",$cliente_email);
        $buscar_erro->bindValue(":senha",$cliente_senha);
        $buscar_erro->execute();
        $validar_erro = $buscar_erro->fetch(PDO::FETCH_ASSOC);

        $rs = '';
        foreach($validar_erro as $erro){
            if($erro['EMAIL_USUARIO'] != $cliente_email){
                $rs = 'email';
                break;
            }elseif($erro['SENHA_USUARIO'] != $cliente_senha){
                $rs = 'senha';
                break;
            }else{
                $rs = 'nenhum';
                break;
            }
        }


        if($rs == 'senha'){

            unset($_SESSION['EMAIL_USUARIO']);
            unset($_SESSION['SENHA_USUARIO']);
            header('location:login.php?area=senha');
        }elseif($rs == 'email'){

            unset($_SESSION['EMAIL_USUARIO']);
            unset($_SESSION['SENHA_USUARIO']);
            header('location:login.php?area=email');
        }elseif($rs == 'nenhum'){

            unset($_SESSION['EMAIL_USUARIO']);
            unset($_SESSION['SENHA_USUARIO']);
            header('location:login.php?area=loginerrado');
        }else{

            unset($_SESSION['EMAIL_USUARIO']);
            unset($_SESSION['SENHA_USUARIO']);
            header('location:login.php?area=naoidentificado');
        }

endif;

? >

I even tried to think of a better solution for this option, but unfortunately now I could not think of anything.

04.07.2018 / 01:00

Messeger or WebHook? I can not go to Page

score 0 · Accepted Answer

Personally I managed to solve it, after several different attempts I discovered where my mistake was. I did not stop the loop after it ended the execution, with this it continued even if it validated the if, it was only necessary to put a break that it stops, follows my corrected code.

session_start (); include "connection.php"; $ client_email = trim ($ _ POST ['client_email']); $ client_password = $ _ POST ['client_password'];

$ pdo = connect ();

$buscar_cliente=$pdo->prepare("SELECT * FROM usuarios WHERE EMAIL_USUARIO=:email");
$buscar_cliente->bindValue(":email",$cliente_email);
$buscar_cliente->execute();
$validar_cliente = $buscar_cliente->fetch(PDO::FETCH_ASSOC);



if($cliente_email != $validar_cliente['EMAIL_USUARIO']):


        unset($_SESSION['EMAIL_USUARIO']);
        unset($_SESSION['SENHA_USUARIO']);
        header('location:login.php?area=naoemail'); 
        break;

else:

    $email_valido = $validar_cliente['EMAIL_USUARIO'];

endif;

var_dump($email_valido);

$buscar_cliente_senha=$pdo->prepare("SELECT * FROM usuarios WHERE EMAIL_USUARIO=:email");
$buscar_cliente_senha->bindValue(":email",$cliente_email);
$buscar_cliente_senha->execute();
$validar_cliente_senha = $buscar_cliente_senha->fetch(PDO::FETCH_ASSOC);
$senha_valida = $validar_cliente_senha["SENHA_USUARIO"];

var_dump($senha_valida);
var_dump($cliente_senha);

if ($senha_valida != $cliente_senha):
     unset($_SESSION['EMAIL_USUARIO']);
    unset($_SESSION['SENHA_USUARIO']);
    header('location:login.php?area=naosenha');
    break;
else:

    $_SESSION['EMAIL_USUARIO'] = $email_valido;
    $_SESSION['SENHA_USUARIO'] = $senha_valida;
    header('location:index.php');




endif;

This is different from what I did but I tested it at first and it worked out well, now when I put an email that does not exist it gives me the invalid email message, and when I put a valid email and a password invalid it returns the message password is invalid.

Thank you very much for your help, and a good night. PS. Now I can get some sleep.