rowCount() doesn't work with SELECT count(*)

StackOverflow https://stackoverflow.com/questions/23413323

Question

I'm trying to learn PDO, so I'm training by making simple login script.
But there seems to be a problem because my script is not working.

Here is my script:

if(isset($_POST['Submit'])){

    $sql= "SELECT COUNT (*) FROM `managers` WHERE `username` = :username and `password` = :password ";
    $result = $connection->prepare($sql);
    $result->bindParam(":username" ,$_POST['username']);
    $result->bindParam(":password" ,$_POST['password']);
    $result->execute();

    $num=$result->rowCount();
    if($num > 0){
        header("location:index.php");
    }else{
        header("location:login.php");
    }

}

And my HTML form is this: 

<form action="login.php" method="post" enctype="multipart/form-data" name="logform" id="logform" class="form-signin" role="form" >  
    <h2 class="form-signin-heading">LOGIN HERE</h2>  
    <input name="username" id="username" size="30" maxlength="64" type="text" class="form-control" placeholder="Enter Your Username ...">  
    <input name="password" type="password" id="password" size="30" maxlength="24" class="form-control" placeholder="Enter Your Password ...">  
    <input class="btn" name="Submit" type="submit" value="Login"/>  
</form>

No matter what I do, I still header to login.php. I checked my database connection and it's working. I don't know what the problem is. Can you guys help me?

Was it helpful?

Solution

Edit: Original answer was a bit off. You can have the ':' in both places.

Also, this script (if it worked the way you expected) will allow anyone to login regardless of password, because you're using COUNT() then checking how many rows are returned. The number of rows returned by a COUNT() query will be 1. Always 1. It will contain one value, which could be 0, 1, or more.

However: rowCount() does not work on SELECT statements. http://www.php.net/manual/en/pdostatement.rowcount.php

Example #2 Counting rows returned by a SELECT statement

For most databases, PDOStatement::rowCount() does not return the number of rows affected by a SELECT statement. Instead, use PDO::query() to issue a SELECT COUNT(*) statement with the same predicates as your intended SELECT statement, then use PDOStatement::fetchColumn() to retrieve the number of rows that will be returned. Your application can then perform the correct action.

You'll want to give the count an alias, fetch it, and use it.

http://www.php.net/manual/en/pdostatement.fetchcolumn.php

$sql= "SELECT COUNT (*) AS num FROM `managers` WHERE `username` = :username and `password` = :password ";
$result = $connection->prepare($sql);
$result->bindParam(":username" ,$_POST['username']);
$result->bindParam(":password" ,$_POST['password']);
$result->execute();

$num=$result->fetchColumn();
if($num > 0){
    header("location:index.php");
}else{
    header("location:login.php");
}

OTHER TIPS

Storing plain passwords in a database is a grave security flaw.

Passwords must be hashed, and thus you should never actually add a password to the WHERE clause, but fetch the hash instead and then verify it using the dedicated function.

Therefore, a query that selects only a count is simply inapplicable in case of a user login - you must select the record itself.

The proper code (taken from my PDO examples page) would be

$stmt = $pdo->prepare('SELECT * FROM `managers` WHERE `username` = :username');
$stmt->execute(['username' => $_POST['username']]);
$user = $stmt->fetch();

if ($user && password_verify($_POST['password'], $user['password']))
    header("location:index.php");
}else{
    header("location:login.php");
}
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top