PHP Fetch Problem

[Tom8001]

Hello, I have a login script and i don't get any errors, it just redirects to the suspended.php

 

Here is the PHP Code:

<?php

session_start();
require_once('./includes/global_config.php');
require('./includes/connect.php');

if($_SERVER['REQUEST_METHOD'] == "POST")
{

	$username = $_POST['user'];
	$password = $_POST['pass'];
	$token = $_POST['token'];
	
	$username = htmlspecialchars($username, ENT_QUOTES);
	$password = htmlspecialchars($password, ENT_QUOTES);
	$token = htmlspecialchars($token, ENT_QUOTES);
	
	$username = htmlentities($username, ENT_QUOTES);
	$password = htmlentities($password, ENT_QUOTES);
	$token = htmlentities($token, ENT_QUOTES);
	
	$stmt = $conn->prepare("SELECT username, password, rank, active FROM users");
	$stmt->bindParam("ss", $username, $password);
	$stmt->execute();
	$fetch = $stmt->fetchAll();
	$rank = $fetch['rank'];
	$active = $fetch['active'];
	
	if($stmt->rowCount() === TRUE)
	{
	
	if($rank == 1 || $active == 1)
	{
		$_SESSION['username'] = $username;
		$_SESSION['loggedIn'] = TRUE;
		$_SESSION['rank'] = $rank;
		echo '<meta http-equiv="refresh" content="0;./admincp/dashboard.php">';
	} if($rank == 0 || $active == 1) {
	
		$_SESSION['username'] = $username;
		$_SESSION['loggedIn'] = TRUE;
		$_SESSION['rank'] = $rank;
		echo '<meta http-equiv="refresh" content="0;./usercp/dashboard.php">';
	} if($rank == 0 && $active == 0) {
	
		$_SESSION['username'] = $username;
		$_SESSION['loggedIn'] = FALSE;
		$_SESSION['rank'] = FALSE;
		echo '<meta http-equiv="refresh" content="0;./suspended.php">';
	} else {
	
		die("Login Failed.");
	
	}
	
	}
}

?>

Also i understand i haven't hashed the password yet, this is not public yet.

 

I'm guessing the problem is

$fetch = $stmt->fetchAll();
$rank = $fetch['rank'];
$active = $fetch['active'];

or

$stmt = $conn->prepare("SELECT username, password, rank, active FROM users");

Every bit of help is much appreciated

[Barand]

Why are you binding params to a query that has no parameters?

[Tom8001]

Why are you binding params to a query that has no parameters?

 

Tired, Been in a car for 6 hours from holiday :\

[scootstah]

As I just mentioned in another reply to you, do not use htmlspecialchars() and htmlentities() at the same time. Pick one or the other. Also, don't use them while inserting data, use them while displaying it.

[Ch0cu3r]

What database api are you using? PDO or MySQLi. I assume PDO, as you are using PDO functions in your code.
 
However here

$stmt->bindParam("ss", $username, $password);

$stmt->bindParam is a PDO function. But the arguments you are passing to this function is incorrect,  ("ss", $username, $password)   is MySQLi arguments for binding variables to a query
 
As you only want your query to return the row where the username and password matches you need to apply a where clause. You would use placeholders for the username and password values. 

$stmt = $conn->prepare("SELECT username, password, rank, active FROM users WHERE username = :usernmae AND password = :password");

For each variable you you call bindParam passing the placeholder (name/index) followed by the variable to be bound to that placeholder

$stmt->bindParam(':username', $username);
$stmt->bindParam(':password', $password);

 
When fetching the result from the query you dont want to call fetchAll. Your query will only returning one row. So call  $fetch = $stmt->fetch(PDO::FETCH_ASSOC); instead.

 

$stmt->rowCount() doesn't return a boolean. It returns the number of rows from your query. So you want to check if i$stmt->rowCount() equals to 1

if($stmt->rowCount() === 1)

if you have not output anything then use  header('Location: page.php');  to preform the redirect rather than use HTML meta refresh tag. After calling header make sure you use  exit;

Edited August 23, 2015 by Ch0cu3r