0

I have a login function and I'd like to return a variable value if false:

function login($email, $password, $mysqli) {
[...]
// check if username exists
if ($stmt->num_rows == 1) {
    // check
if ($db_password == $password) {
    //check
} else {
    // Invalid password
    $error = '2';
    return false;
} else {
        // No user exists.
        $error = '1';
        return false;

And this is the process_login

// the login function is included in this page
if (login($email, $password, $mysqli) == true) {
    // Login success
    header('Location: /index.php');
} else {
    // Login failed
    header("Location: /login.php?error=$error");
}

I'd like the function to return the value of error variable, but it's not working.

What's wrong??

Thanks!

Improve this question
3
  • Am I missing something? If you want to return the value of the error variable, use return $error;. Commented Oct 3, 2014 at 22:50
  • Best practice: don't tell the user whether it's their user name or password that's wrong. An attacker can focus an attack if you give out too much information. Just return false from your function if login fails. Commented Oct 3, 2014 at 22:51
  • You're right, thanks for the tip! Commented Oct 3, 2014 at 22:54

3 Answers 3

Reset to default
1

As commented before, we shouldn't let users know wether the username or the password was wrong. But this was just an exercise (I was still beggining to php).

We can safely remove the two else.

function login($email, $password, $mysqli) {
    [...]
    $exit = false;
    // check if username exists
    if ($stmt->num_rows > 0) {
        // check
        if ($db_password == $password) {
            // checked
            $exit = true;
        } else {
            // Invalid password
            $exit = 2;
        }
    } else {
        // No user exists.
        $exit = 1;
    }

    return $exit;
}

No need to compare, it'll only pass if login() returns true

// the login function is included in this page
if (login($email, $password, $mysqli)) {
    // Login success
    header('Location: /index.php');
} else {
    // Login failed
    header("Location: /login.php?error=$error");
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

this should do the trick :)

function login($email, $password, $mysqli) {
[...]
// check if username exists
if ($stmt->num_rows == 1) {
    // check
if ($db_password == $password) {
    //check
    return true;
} else {
    // Invalid password
    $error = '2';
    return $error;
} else {
        // No user exists.
        $error = '1';
        return $error;
......


// the login function is included in this page
if (login($email, $password, $mysqli) === true) { //check for type (bool)true
    // Login success
    header('Location: /index.php');
} else {
    // Login failed
    header("Location: /login.php?error=$error");

}
Improve this answer

1 Comment

Thanks, but I already tried that and for some unknown reason is redirecting me to index... and idk if has something to do with .htaccess redirecting to index.php (I'm using dynamic includes and I need that)
0

You cannot have two else conditions in the same if statement and you should return the variable $error instead returning false if you really need to know the error number but only for your known. As one user told you to try not to tell the user where exactly is the login error. Just tell the client the login/password details are incorrect

Improve this answer

1 Comment

It's an old and bad indented code (if you look closely you'll see two if's statements). That was just an exercise from when I was still studying php. I'll answer my own question, thanks anyways.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.