Printing from SQL to PHP?

Question

I've been trying to write a PHP program that gives users the ability to register for an account and login once registered. I've managed to prevent the registration of multiple usernames and store all registered usernames and the corresponding passwords in a SQL table, but I'm trying to get login working by verifying passwords, and PHP doesn't seem to be recognizing anything from SQL. I've tried countless variations of mysqli_fetch_array and mysqli_fetch_assoc to no avail. Entirety of PHP code is posted below, with comments specifying the most relevant parts.

<?php session_start(); ?>
<html>
<head>
  <title>Test Form</title>
</head>

<body>
<link rel="stylesheet" type="text/css" href="main.css" />

<?php
include('mydbinfo.php');

$conn = new mysqli($dbhost, $dbuser, $dbpass, $dbname);
if ($conn->connect_error) {
    echo("<font color='red'><p>Unable to connect to the database system</font>"."<font color='red'>Please try later.</font></p>");
    exit();
}

if($_POST["email"].value == "" or $_POST["password"].value == "") {
    print("<font color='red'><p>Sorry, you must enter values into each field.</font></p>"); 
} else {
    $mail = $_POST["email"];
    $_SESSION["sessUsername"] = $mail;
    $pass = $_POST["password"];
    $query = "SELECT user_password FROM logins WHERE email='$mail'";

    $result=mysqli_query($conn,$query);

    while($name = mysqli_fetch_array($result)) {
        array_push($names,$name['email']);

        for($n = 0; $n < count($names); $n++) {
            if($names[$n] == $name['email']) {
                $names++;
            }
        }

    }

    //Number of instances of SQL query result found in table.
    $count = mysqli_num_rows($result);

    if($count > 0) {

        //Supposed to contain password which corresponds to a given user ID.
        //This is the main issue.
        $new=mysqli_fetch_array($result);

        if($pass == $new) {
            print "<font color='red'><p>Welcome back, $mail!</p></font>";
        } else {
            print "<font color='red'>Your reservation was invalid.</font>";
            print($pass);
            print($result);
        }

    } else {
      echo "<font color='red'>Not found in table.</font>";
    }
}
?>

</body>
</html>
<?php>

Answer 1

GolezTrol's answer and the additional information provided by joaomlap's answer do a great job of answering this question. I just thought I'd touch on a few other things that might not be causing frustrations as of now, but eventually they might.

---

First - The <font> and <p> tags are not correctly ordered in the following lines of code:

echo("<font color='red'><p>Unable to connect to the database system</font>"
      ."<font color='red'>Please try later.</font></p>")

print("<font color='red'><p>Sorry, you must enter values into each field.
       </font></p>");

You should switch around the opening <font> and <p> tags to look like:

echo("<p><font color='red'>Unable to connect to the database system</font>"
      ."<font color='red'>Please try later.</font></p>")

print("<p><font color='red'>Sorry, you must enter values into each field.
       </font></p>");

Better yet, you should give the <p> tags an id like <p id='red-text'> and edit your main.css stylesheet to change the text color of the red-text ids. Thus eliminating the need for the <font> tags all together.

Second - All <link> tags should be located between the opening and closing <head> tags and below the <title> tag, if a <title> tag is present.

[The <link> tag] goes only in the head section, but it can appear any number of times.
- From: HTML link tag - W3Schools

So your code:

<head>
  <title>Test Form</title>
</head>

<body>
  <link rel="stylesheet" type="text/css" href="main.css" />
  <!-- more code -->
</body>

Should be changed to:

<head>
  <title>Test Form</title>
  <link rel="stylesheet" type="text/css" href="main.css" />
</head>

<body>
  <link rel="stylesheet" type="text/css" href="main.css" />
  <!-- more code -->
</body>

Third - What's up with the dangling <?php tag at the end of your code? Only when used in a file of pure php code, can the benefits of not closing a <?php tag be reaped.

If a file is pure PHP code, it is preferable to omit the PHP closing tag at the end of the file. This prevents accidental whitespace or new lines being added after the PHP closing tag, which may cause unwanted effects because PHP will start output buffering when there is no intention from the programmer to send any output at that point in the script. - The PHP Manual

Answer 2

Just to complement the answer given by GolezTrol, I think you should consider reading about prepared statements, it is a simple way to prevent SQL injection that is a major threat in your code.

You can simply check if the combination email:password exists by simply executing this query:

SELECT email FROM logins WHERE email=? AND user_password=?

If you have any rows in your result, the login credentials are correct. With this query your are set to do prepared statements, read this.

Answer 3

When you fetch, you fetch an entire row (or an entire dataset).

In your case, you used a while loop to traverse through all rows. After that, you fetch another row again, but that won't work, because you have already fetched all rows using the loop.

Moreover, you compare the array you get (the entire row) with $pass, which of course won't work either.

So, this snippet:

$new=mysqli_fetch_array($result);
if ($pass==$new)
{
print "<font color='red'><p>Welcome back, $mail!</p></font>";
}

Should just be

if ($name['user_password'] == $pass) 
{
  print "<font color='red'><p>Welcome back, $mail!</p></font>";
}

$name is the variable in which you read the row(s) that match the e-mail address, so by changing the code as I suggested makes your code use the last password that matches.

After that, there are other issues to resolve. First of all, when logging in, you shouldn't need a while loop. Hopefully there is only one account that matches, and you should take precautions to make sure you cannot create duplicate accounts in the first place.

Also $name is not the best name for that variable, since it contains an entire row, with a name and password in it.

Also, I noticed that the query doesn't return the name or e-mail at all, so the loop that verifies them probably doesn't work either. So maybe it's a good idea to have another close look, or even start over. After all, you've been experimenting and although that is very informative, it also makes a mess of the code. Sometimes it's better to start over and put the knowledge you gained to use to build a new and improved version.