I got a piece of code below where it performs certain php/mysqli tasks on validation and success. The problem I am having with the code below is that if the user enters in an incorrect username or email which is determined by a SELECT query, if there is no matching username and email then it should display the error message Your Username or Email was not Correct. But instead it is displaying this error message An error has occured, your Email was not sent containing your new Password.
My question is that why is it displaying the incorrect error message and how can I get it to dispaly the correct error message?
if(isset($_POST['resetbtn'])){
//get form data
$user = $_POST['user'];
$email = $_POST['email'];
$errors = array();
if(!$errors) {
$query = "SELECT TeacherUsername, TeacherEmail FROM Teacher WHERE TeacherUsername = ? AND TeacherEmail = ?";
// prepare query
$stmt=$mysqli->prepare($query);
// You only need to call bind_param once
$stmt->bind_param("ss",$user, $email);
// execute query
$stmt->execute();
// get result and assign variables (prefix with db)
$stmt->bind_result($dbTeacherUsername, $dbTeacherEmail);
//get number of rows
$stmt->store_result();
$numrows = $stmt->num_rows();
if ($numrows == 1){
$pass = rand();
$teacherpassword = md5($pass);
$teacherpassword = substr($pass, 0, 15);
$teacherpassword = md5(md5("g3f".$pass."rt4"));
//update password in db
$updatesql = "UPDATE Teacher SET TeacherPassword = ? WHERE TeacherUsername = ?";
$update = $mysqli->prepare($updatesql);
$update->bind_param("ss", $teacherpassword, $user);
$update->execute();
$query = "SELECT TeacherUsername, TeacherPassword FROM Teacher WHERE TeacherUsername = ? AND TeacherPassword = ?";
// prepare query
$stmt=$mysqli->prepare($query);
// You only need to call bind_param once
$stmt->bind_param("ss",$user,$teacherpassword);
// execute query
$stmt->execute();
// get result and assign variables (prefix with db)
$stmt->bind_result($dbTeacherUsername, $dbTeacherPassword);
//get number of rows
$stmt->store_result();
$selectnumrows = $stmt->num_rows();
}else{
if(!$numrows){
$errormsg = "Your Username or Email was not Correct";
$user = "";
$email = "";
}
}
}
if(empty($errors)) {
if ($selectnumrows == 1){
$errormsg = "<span style='color: green'>Your Password has been Reset. An Email has been sent with your New Password</span>";
else{
$errormsg = "An error has occured, your Email was not sent containing your new Password";
}
}
Below is the form:
echo "<form action='./forgotpass.php' method='post'>
<table>
<tr>
<td></td>
<td id='errormsg'>$errormsg</td>
</tr>
<tr>
<td>Username</td>
<td><input type='text' name='user' value='$user'/><br/>".$error_user."</td>
</tr>
<tr>
<td>Email</td>
<td><input type='text' name='email' value='$email'/><br/>".$error_email."</td>
</tr>
<tr>
<td></td>
<td><input type='submit' name='resetbtn' value='Reset Password' /></td>
</tr>
</table>
</form>";
What happens is that if $query returns no rows, first your $errormsg becomes “Your Username or Email was not Correct” and after that it changes to: “An error has occured, your Email was not sent containing your new Password”.
The conditions are exactly the same (same query!), so if the first is true then the second one will be true as well. I’m not sure why you need two identical queries, but if you indeed need it, try changing the $errormsg variables in the last few lines to another variable (e.g. $errormsg2) and echoing them separately in the form.