PHP undefined variable error

jamesmorris86 · 15 May 2015 at 19:59

Hello everyone. Please could some shed some light onto why I am getting this undefined variable error. Thanks for any tips

I have cobbled together a login script using the new php hashing and verify functions.

I am getting this error:

PHP:

Undefined variable: db_password in C:\wamp\www\login\index.php on line 207

Line 207 is the following:

PHP:

if(password_verify($password, $db_password)) {

And here is the full code:

PHP:

    $username = '';
    if(isset($_POST['username']))
    $username = htmlentities($_POST['username']);

    $password = '';
    if(isset($_POST['password']))
    $password = $_POST['password'];    

	$sql = "SELECT * FROM login WHERE username=?"; 
	$get = $connect->prepare($sql);
	$get->execute(array($username)); 
	
	if($get->rowCount() === 1)
	{
		$row = $get->fetch(PDO::FETCH_ASSOC); // Fetch the result
		
		$db_username = $row['username'];
		$db_password = $row['password']; 

	}  

	if(password_verify($password, $db_password)) { 
 
`	$_SESSION['username'] = $db_username;
      
	$sql = "UPDATE login SET last_login=?, ip=? WHERE username=?";
	$statement = $connect->prepare($sql);
	$statement->execute(array($dt,$ip,$username)); 
	
	}

xbenjiiman · 15 May 2015 at 21:01

Looks like $get->rowCount() isn't 1.

jamesmorris86 · 15 May 2015 at 21:44

ah ok. thanks.

I have removed if($get->rowCount() === 1) and it seems to be working now.

is it okay that I have removed that. Was it doing anything important?

if i echo the row count its coming up 0 but there is a row in the table, and the login works. Just spits out the error

moogle · 15 May 2015 at 22:31

jamesmorris86 said:
ah ok. thanks.

I have removed if($get->rowCount() === 1) and it seems to be working now.

is it okay that I have removed that. Was it doing anything important?

if i echo the row count its coming up 0 but there is a row in the table, and the login works. Just spits out the error

You shouldn't remove it, it was there to check if the username exists. Just declare the variable $db_password = null; at the start of the script (do the same for $db_username) that way if rowCount() isn't 1 it will still exists as a variable and won't throw up an error.

jamesmorris86 · 15 May 2015 at 23:04

okay I put it back in.

But if the rowcount is 0 is it actually worth putting back in? is it doing anything?

From what I have read, it only returns a row number if I do something that effects the table, so only checking the posted username against the database one shouldnt return anything?

moogle · 16 May 2015 at 00:31

from what I see, it's checking if the username exists before it even checks if the password is correct.

whatever username you're running it against isn't bringing back any rows from the table.

I'm guessing you didn't write the code but you're just using it in your script?

Either way the error you were getting was because the variables $db_username and $db_password were uninitialized due to rowCount() being 0

If you look at the top part of your code where it initializes $username and $password = ''; then you can see the same thing has been done for those variables.

fez · 16 May 2015 at 02:37

Just move the final if statement block inside the one that checks if a user was found in the database for the given username.

PHP:

    $username = '';
    if(isset($_POST['username']))
    $username = htmlentities($_POST['username']);

    $password = '';
    if(isset($_POST['password']))
    $password = $_POST['password'];    

	$sql = "SELECT * FROM login WHERE username=?"; 
	$get = $connect->prepare($sql);
	$get->execute(array($username)); 
	
	if($get->rowCount() === 1)
	{
		$row = $get->fetch(PDO::FETCH_ASSOC); // Fetch the result
		
		$db_username = $row['username'];
		$db_password = $row['password']; 

            if(password_verify($password, $db_password)) { 
 
	        $_SESSION['username'] = $db_username;
      
	        $sql = "UPDATE login SET last_login=?, ip=? WHERE username=?";
	        $statement = $connect->prepare($sql);
	        $statement->execute(array($dt,$ip,$username)); 
	
	    }

	}

Ignore the **** indentation

visibleman · 18 May 2015 at 16:20

Do as above, Fez's solution, however you should be catching the errors (and scrubbing sessions) on both no user existing (first IF condition) and when the user exists but the password doesn't match (second IF condition).

jamesmorris86 said:
okay I put it back in.
From what I have read, it only returns a row number if I do something that effects the table...

It returns the number of rows based on the query (it's worth limiting the returned results, ie - use LIMIT 1 in the query).

So in this case, if the input username exists in the table then it'll return a value greater than zero (unless you allow multiple users with same username, then it'll return '1'); if not then zero.