Ran into an error when creating a Prepared statement to login PHP

Question

I keep running into the error where PHP says "We're sorry we can't log you in." according to one of my conditions set even if login is correct and hence my Prepared system to avoid SQL injection fails.

So my code goes like this:

global $connected;

$post = filter_var_array($_POST, FILTER_SANITIZE_STRING);
$pwwd = $post['password'];
$usrn = $post['username'];
$usrn = mysqli_real_escape_string($connected, $usrn);
$pwwd = mysqli_real_escape_string($connected, $pwwd);

if (strlen($usrn) != 0 && strlen($pwwd) != 0 && !empty($post)) {
    $usrn = stripslashes($usrn);
    $pwwd = stripslashes($pwwd);
    $hashFormat = '$2ysomenumber$';
    $salt = 'somehashobviously';
    $hashF_and_salt = $hashFormat.$salt;
    $pwwd = crypt($pwwd, $hashF_and_salt);

    if (!mysqli_connect_errno()) {
        mysqli_select_db($connected, 'someDbname') or die('Database   select error');
    } else {
        die('Failed to connect to PHPMyAdmin').mysqli_connect_error();
    }

    $query = "SELECT Username, Password FROM users WHERE Username=? AND     Password=?";

    $stmt = mysqli_stmt_init($connected);

    if (mysqli_stmt_prepare($stmt, $query)) {
        //Some error in here somewhere

        mysqli_stmt_bind_param($stmt, "ss", $usrn, $pwwd);
        mysqli_stmt_execute($stmt);

        mysqli_stmt_fetch($stmt);

        mysqli_stmt_bind_result($stmt, $check_usrn, $check_pwd);

        if (strcasecmp($usrn, $check_usrn) == 0) {
            if ($pwwd == $check_pwd) {
                echo '<h1 class="text-center">Matches</h1>';
                print_r($row);
            }

        } else {
            echo "<h1 class=text-center>We're sorry we can't log you     in.</h1>";
        }

    }

} else { //This is for strlen boolean cond
    echo "<h1 class='text-center'>Both fields must not be empty.    </h1>";
}

I used to use a login page without prepared statements which was working, but I realised I need to do this for better security. My database is working fine so the problem is near where I added the comment "//Some error in here somewhere".

I am a relatively new PHP programmer that is yet a first year student trying daring new things in the holidays! Will openly read all the help I get, thank you!

Answer 1

First i didn't see your connection code for connection to the database which is like this. $connected = msqli_connect(host,user,password,db_name) ; than you don't need to call mysqli_select_db() function.

Secondly you are checking your connectinon from mysqli_connect_errno() function which return 0 as integer (not boolean) if no error code value for last mysqli_connect() function.

Third there is no need to Initializes prepare statement.

Fourth is mysqli_stmt_bind_reslut() comes before the mysqli_stmt_fetch() . see note point in manual

Use hash_equals() function to match password instead of === . see the warning section in crypt

$connected = msqli_connect(host,user,password,db_name) ;
 if(!$connected)
 {
     die('Connect Error (' . mysqli_connect_errno() . ') '. mysqli_connect_error());
 } 
    echo "Your connection is  successful . "
 if($stmt = mysqli_prepare($connected,$query))
 {
       mysqli_stmt_bind_param($stmt, "ss", $usrn, $pwwd);
       mysqli_stmt_execute($stmt);
       mysqli_stmt_bind_result($stmt, $check_usrn, $check_pwd);
       mysqli_stmt_fetch($stmt);
       /* Now do Your Work */

 } else 
   {
      /* still prepare statement doesn't work */
   } `