0

I am trying to verify a username and a password from the database but it is returning int -1 as seen on the below screenshot. code that I am using as follows 

  public function logIn()
    {
        $email = $_POST['loginEmail'];
        $password = htmlspecialchars($_POST['loginPassword']);
        // if (strlen($password) < 8 || !preg_match('/[0-9]/', $password) || !preg_match('/[A-Z]/', $password) || !preg_match('/[a-z]/', $password)) {
        //     echo "<script>alert('Not a valid Password');</script>";
        // } else {
            // $salt = "ca34ff6ghh7ggs0hmn112dfg'";
            // $password = $password . $salt;
            // $password = sha1($password);


            $sqlQuery = "SELECT UserID FROM tbl_User WHERE Email='$email' AND Password='$password'";
            $statement = $this->_dbHandle->prepare($sqlQuery);
            $statement->execute();
            $count = $statement->rowCount();

            var_dump($email);
            var_dump($password);
            var_dump($statement);
            var_dump($sqlQuery);
            var_dump($count);

            if ($statement->rowCount() > 0) {
                 var_dump($statement->rowCount());
            //     $row = $statement->fetch();
            //     var_dump($row);
            //     // $user = new UserData($row);
            //     // $userId = $user->getId();
            //     // $_SESSION['user_id'] = $userId;
            //     // header('location: index.php');
            } // else {
            //     echo '<script>window.alert("Try Again ww!")</script>';
            // }
        // }
    }

Any help would be much appreciated.

Returning int -1

Faz887766
  • 29
  • 6
  • Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use prepared statements with bound parameters, via either [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php). [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. – Alex Howansky Jul 25 '18 at 15:13
  • 1
    **Never** store plain text passwords. Instead use [`password_hash()`](http://us3.php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://us3.php.net/manual/en/function.password-verify.php). – Alex Howansky Jul 25 '18 at 15:14
  • Thank you for your kind reply, however, i am getting nothing from the database, any suggestion why? thanks – Faz887766 Jul 25 '18 at 15:16
  • Are you getting any results if you copy the $sqlQuery you dumped and paste it into a mssql GUI program? – Ole Haugset Jul 25 '18 at 15:18
  • yes i am, it works perfectly on MSSQL GUI – Faz887766 Jul 25 '18 at 15:19
  • however on the website itself it shows the error on the screenshot above. – Faz887766 Jul 25 '18 at 15:28

0 Answers0