sqlsrv_query doesn't insert into database - php

Select statement is working but insert into is not. $Username and $password exists. What could be the problem?
<?php
session_start();
include('config.php');
if (isset($_POST['register'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$password_hash = password_hash($password, PASSWORD_BCRYPT);
$query = "SELECT * FROM k WHERE su=?";
$params = array($username);
$options = array( "Scrollable" => SQLSRV_CURSOR_KEYSET );
$stmt = sqlsrv_query( $conn, $query, $params,$options);
$row_count = sqlsrv_num_rows( $stmt );
if ($row_count> 0) {
$msg="<span style='color:red'>USER EXISTS</span>";
}
else if ($row_count == 0) {
$options2 = array( "Scrollable" => SQLSRV_CURSOR_KEYSET );
$query2 = "INSERT INTO k (su,s) VALUES (?,?)";
$params2 = array($username,$password_hash);
$stmt2= sqlsrv_query($conn, $query2,$params2);
//header("location:giris.php");
}
}
?>
Edit: used
$errors = sqlsrv_errors(); foreach($errors as $error) { echo $error;}
to see errors and got Warning: Array to string conversion
password_hash is Array$2y$10$r3G2... but with echo(reset($password_hash)); result is : Argument #1 ($array) must be of type array, string given


Frustrating, but the data type of password was nvarchar(50) in database, and password_hash consists of more than 50 chars. This was the issue.

Related

If Else with isset: else part does not work [PHP]

Hello i dont get the $msg shown if my Username and Password is not the correct one.´Here is the php isset Part.
if(isset($_POST['Submit'])){
$Username = $_REQUEST['Username'];
$Password = $_REQUEST['Password'];
$hashed_password = '$2y$10$KWpZCg/vOumvk0TFiauhqu2kmBvDw3T0RwdWBrofKfgBkdI8ApyXe';
echo $hashed_password;
$tsql = "SELECT * FROM MasterarbeitDB.dbo.Benutzer";
$stmt = sqlsrv_prepare( $conn, $tsql, array(), array( "Scrollable" => SQLSRV_CURSOR_KEYSET ));
if (sqlsrv_execute($stmt)) {
while( $obj = sqlsrv_fetch_array( $stmt, SQLSRV_FETCH_ASSOC)) {
if(password_verify($Password, $hashed_password) && $obj['Benutzer'] == $_POST['Username']) {
$_SESSION['valid_user'] = true;
$_SESSION['Username'] = $Username;
header("location:ma_Qualianlegen.php?QualiID=".$QualiID."&TestaufstellungID=".$TestaufstellungID."&Bezeichnung=".$Bezeichnung."&StatusID=".$StatusID."&TID=". $TID ."&AuftragsID=". $AuftragsID ."");
exit;
}else {
$msg="<span style='color:red'>falsche Login-Date</span>";
}
}
}
}
Any help why this happen? thx

How do I solve "Parameter must be an array or an object that implements Countable?" [duplicate]

This question already has answers here:
Checking if mysqli_query returned any values?
(2 answers)
Closed 2 years ago.
Warning: count(): Parameter must be an array or an object that
implements Countable in C:\xampp\htdocs\try\process.php on line 30.
That's what my code says. it seems so fine but when I press edit, this error shows. I don't understand. can someone point me out what happened in line 30?
here is my process.php
<?php
require("1password.php");
$id = 0;
$update = false;
$username='';
$password='';
if (!session_id()) { session_start(); }
$mysqli = new mysqli("localhost","root","","id7508046_isalon") or die(mysqli_error($mysqli));
if(isset($_POST['save'])){
$username = $_POST['username'];
$password = $_POST['password'];
$passwordHash = password_hash($password, PASSWORD_DEFAULT);
$mysqli->query("INSERT INTO isalonusers (username, password) values ('$username', '$passwordHash')") or die($mysqli->error);
$_SESSION['message'] = "New account saved!";
$_SESSION['msg_type'] = "success";
header("location: userlist.php");
}
if(isset($_GET['delete'])){
$id = $_GET['delete'];
$mysqli->query("DELETE FROM isalonusers WHERE user_id=$id") or die($mysqli->error());
$_SESSION['message'] = "User Account Deleted!";
$_SESSION['msg_type'] = "danger";
header("location: userlist.php");
}
if(isset($_GET['edit'])){
$id = $_GET['edit'];
$update = true;
$result = $mysqli->query("SELECT * FROM isalonusers WHERE user_id=$id") or die($mysqli->error());
if(count($result)==1){
$row = $result->fetch_array();
$username = $row['username'];
$password = $row['password'];
}
}
if(isset($_POST['update'])){
$id = $_POST['id'];
$username = $_POST['username'];
$password = $_POST['password'];
$passwordHash = password_hash($password, PASSWORD_DEFAULT);
$mysqli->query("UPDATE isalonusers SET username ='$username', password='$passwordHash' WHERE user_id=$id") or die($mysqli->error());
$_SESSION['message'] = "User Account has been updated!";
$_SESSION['msg_type'] = "warning";
header("location: userlist.php");
}
?>

As a matter of fact, you never need to count anything. This step is just redundant.
If you give it a bit of a thought, you can simply fetch your data first and then use it in the condition. What is much more important, you must use a parameterized query. So the code should be
$stmt = $mysqli->prepare("SELECT * FROM isalonusers WHERE user_id=?");
$stmt->bind_param("i", $id);
$stmt->execute();
$result = $stmt->get_result();
// here goes your problem with "count"
$row = $result->fetch_array(MYSQLI_ASSOC)
if($row) {
$username = $row['username'];
$password = $row['password'];
}
Neither should you use that terrible practice with or die

How about this way with $result->num_rows?
if(isset($_GET['edit'])){
$id = $_GET['edit'];
$update = true;
$result = $mysqli->query("SELECT * FROM isalonusers WHERE user_id=$id") or die($mysqli->error);
if(isset($result->num_rows) && $result->num_rows > 0){
$row = $result->fetch_array(MYSQLI_ASSOC);
$username = $row['username'];
$password = $row['password'];
}
}
See ref.: http://php.net/manual/en/mysqli.query.php

return statement not return any value in php function

Can someone tell me why my return statement is not return any value in data[0] however if i choose to echo it, it shows that there is a value in data[0] but wouldn't work with the return statement.
include_once("Init/Initialize.php");
if(isset($_POST['username']) && isset($_POST['password'])){
$username = $_POST['username'];
function username_in_use($username){
$query = "SELECT COUNT(`userId`) FROM `users` WHERE `username`=?";
$statement = mysqli_prepare($dblink, $query);
mysqli_stmt_bind_param($statement, 's', $username);
mysqli_stmt_execute($statement);
$result = mysqli_stmt_get_result($statement);
$data = mysqli_fetch_array($result, MYSQLI_NUM );
return $data[0] ;
}
echo username_in_use($username);
}

Check if email already exist [duplicate]

This question already has answers here:
Check if email already exists in database
(4 answers)
Closed 6 years ago.
How do I check if the email already exist in the database and deny the registration?
MySQL was the one taught to me and I'm currently on a wall using MySQLi.
Here is the code that I'm currently working on using MySQLi:
<?php
$cookie_name = "loggedin";
$servername = "localhost";
$username = "root";
$password = "";
$database = "scholarcaps";
$conn = mysqli_connect($servername, $username, $password, $database);
if (!$conn) {
die("Database connection failed: ".mysqli_connect_error());
}
if (isset($_POST['login']))
{
$user = $_POST['username'];
$pass = $_POST['password'];
$phash = sha1(sha1($pass."salt")."salt");
$sql = "SELECT * FROM users WHERE username='$user' AND password='$phash';";
$result = mysqli_query($conn, $sql);
$count = mysqli_num_rows($result);
if ($count == 1)
{
$cookie_value = $user;
setcookie($cookie_name, $cookie_value, time() + (180), "/");
header("Location: personal.php");
}
else
{
echo "Username or password is incorrect!";
}
}
else if (isset($_POST['register']))
{
$user = $_POST['username'];
$email = $_POST['email'];
$pass = $_POST['password'];
$phash = sha1(sha1($pass."salt")."salt");
$sql = "INSERT INTO users (id, email, username, password) VALUES ('','$email', '$user', '$phash');";
$result = mysqli_query($conn, $sql);
}
?>

Despite using mysqli your code is still vulnerable to sql injection as you directly embed variables in the sql statements - use prepared statements to avoid nasty surprises. The following is not tested but should show how you can use prepared statements. There are better ways of hashing the password - such as password_hash and also password_verify though these are not available in PHP versions prior to 5.5
$response=array();
$cookie_name='loggedin';
$dbhost = 'localhost';
$dbuser = 'root';
$dbpwd = '';
$dbname = 'scholarcaps';
$db = new mysqli( $dbhost, $dbuser, $dbpwd, $dbname );
if( isset( $_POST['login'] ) ) {
$user = $_POST['username'];
$pass = $_POST['password'];
$phash = sha1( sha1( $pass . "salt" ) . "salt" );
$sql='select `username`, `password` from `users` where `username`=? and `password`=?';
$stmt=$db->prepare( $sql );
if( $stmt ){
$stmt->bind_param( 'ss', $username, $phash );
$result=$stmt->execute();
if( !$result ) $response[]='Query failed';
$stmt->store_result();
$stmt->bind_result( $name, $pwd );
$stmt->fetch();
if( $stmt->num_rows()==0 ) $response[]='No such user';
else {
$stmt->free_result();
$stmt->close();
$db->close();
setcookie( $cookie_name, $user, time() + 180, "/" );
exit( header( "Location: personal.php" ) );
}
$stmt->free_result();
$stmt->close();
$db->close();
/* show errors */
if( !empty( $response ) ){
echo '<ul><li>',implode('</li><li>',$response),'</li></ul>';
}
}
} elseif( $_POST['register'] ){
$user = $_POST['username'];
$email = $_POST['email'];
$pass = $_POST['password'];
$phash = sha1( sha1( $pass . "salt" ) . "salt" );
/* Does the email address already exist? */
$emailfound=false;
$sql='select `email` from `users` where `email`=?';
$stmt=$db->prepare( $sql );
if( $stmt ){
$stmt->bind_param('s',$email);
$result=$stmt->execute();
if( $result ){
$stmt->store_result();
$stmt->bind_result( $emailfound );
$stmt->fetch();
$stmt->free_result();
}
}
if( $emailfound ){
echo 'Sorry, that email address already exists in our database. Please try again with a different address.';
$stmt->close();
$db->close();
} else {
/* the `id` should be automatically generated I assume - hence being omitted here */
$sql='insert into `users` (`email`, `username`, `password`) values (?,?,?);';
$stmt=$db->prepare( $sql );
if( $stmt ){
$stmt->bind_param( 'sss', $email, $username, $phash );
$result=$stmt->execute();
$stmt->free_result();
$stmt->close();
$db->close();
if( $result ) header('Location: login.php');
else{
/* failed to register the user */
}
}
}
}

I solved this problem by setting my email column with unique attribute. After the registration submit you can catch the mysqli_errno(). So you will see if there is a duplicate entry.
You will save a check-query with this solution.

If you don't want to match the email, you just want to make sure an email address exists, you could...
$sql = "SELECT * FROM users WHERE username='$user' AND password='$phash' AND email<>'';";
or, to specify a minimum length...
$sql = "SELECT * FROM users WHERE username='$user' AND password='$phash' AND LEN(email) > 0;";

Use this php function for get record count in db
$count=mysqli_num_rows($result)
after check it more than 0 or not

Try this,
add this code after sha1
$result = mysql_query("select COUNT(id) from users where email='".$email."'");
$count = mysqli_num_rows($result);
if($count > 0){
echo "email exist";
}else
{
$sql = "INSERT INTO users (id, email, username, password) VALUES ('','$email', '$user', '$phash');";
$result = mysqli_query($conn, $sql);
}

How to encrypt the password in the login form using php

I created a form to insert data(username & password) in sql server. the password there is already encrypted. my problem now is am I going to insert the $encrypt_pass in my parametrized query.
<?php
$pass= $_POST['pass'];
$encrypt_pass=md5($pass);
$params = array($_POST['user'], $encrypt_pass);
$server = "MELODY-PC\SQLEXPRESS";
$options = array("Database"=>"customerdb", "UID"=>"dbadmin", "PWD"=>"melodyjerah");
$conn = sqlsrv_connect($server, $options);
$sql = "SELECT * FROM accounting_login WHERE username = ? and password = ?";
$stmt = sqlsrv_query($conn, $sql, $params);
if(sqlsrv_has_rows($stmt))
{
header("Location: page_accounting.php");
}
else
{
echo "Invalid USERNAME or PASSWORD!";
}
?>

If you have php 5.5, use this
$password = password_hash($password_from_input, PASSWORD_DEFAULT); //store this in db
In login_form.php
$true = password_verify($password_from_input, $password_in_db); // returns TRUE or FALSE
You do not need salt, just a password column will do

Categories