PHP + SQL Login system. Returning the wrong value

Question

Hello Everyone newbie here,

I'm trying to figure out why my code is returning "Login Successful" no matter what when my $loginresult is not = 1. This is my first time trying to implement prepared statements with my login system to avoid SQL injection and was curious if the issue lies in how I wrote that.

I can definitely say that when I am making my successful login my value is 1 and unsuccessful is 5.

Whenever it is 5 it is still returning the same echo that 1 should be returning.

Thank you for your time and patience everyone.

<?php session_start(); ?>

<!DOCTYPE html>
<head>
  <title>Login</title>
</head>
<body>

<?php

include('config.php');
$conn = sqlsrv_connect($serverName, $conn_array);

  $myparams['username'] = $_POST['username'];
  $myparams['password'] = $_POST['password'];


      // All checks done already (including password check). Begin building prepare statement.
    $sql = "SET ANSI_NULLS ON
    SET QUOTED_IDENTIFIER ON
    SET CONCAT_NULL_YIELDS_NULL ON
    SET ANSI_WARNINGS ON
    SET ANSI_PADDING ON
    exec LoginScript @in_accountname=?,@in_password=?
    
    ";

//Array for prep
$procedure_params = array(
        array(&$myparams['username'], SQLSRV_PARAM_IN),
        array(&$myparams['password'], SQLSRV_PARAM_IN)

);

/* Prepare the statement. */
if( $stmt = sqlsrv_prepare( $conn, $sql, $procedure_params))
{
     // echo "Statement was successfully prepared.\n";
} 
else
{
      echo "Statement could not be prepared.\n";
     // ( print_r( sqlsrv_errors(), true)); ACTIVATE ONLY FOR DEBUGGING TO PREVENT HELPING SQL INJECTORS
}

/* Execute the statement. */
if( sqlsrv_execute( $stmt))
{
     // echo " Statement executed.\n";
}
else
{
      echo " Unable to execute prepared statement!\n";
     // ( print_r( sqlsrv_errors(), true));
}


//checkuser
$result = sqlsrv_prepare( $conn, $sql, $procedure_params);
$info=sqlsrv_fetch_array($stmt);
$LoginResult = $info;


//Login Success
if (!$LoginResult=1)

{
    echo "Login DEAD.";
    echo "Login Result: ".$info[0]."\n"; 
}else{
    echo "Login Successful.";
    echo "Login Result: ".$info[0]."\n"; 
}

/* Free the statement and connection resources. */
sqlsrv_free_stmt($stmt);
sqlsrv_close($conn);
?>```

score 1 · Accepted Answer · answered Jun 28 '20 at 22:49

1

if (!$LoginResult=1) is not what you want, you need

if ($LoginResult != 1) is not valid

See: Equality Operators

What you've done with your original code is assign the value 1 to the $loginResult variable and checked if it is not truthy

answered Jun 28 '20 at 22:49

Jon P

19,442
8
49
72

PHP + SQL Login system. Returning the wrong value

1 Answers1