got this:
public function Register($uname,$pass,$mail)
{
try
{
$new_password = password_hash($pass, PASSWORD_DEFAULT);
$stmt = $this->db->prepare("INSERT INTO users(username,email,password)
VALUES(:uname, :mail, :pass)");
$stmt->bindparam(":uname, $uname");
$stmt->bindparam(":mail, $mail");
$stmt->bindparam(":pass, $new_password");
$stmt->execute();
}
catch (PDOException $e)
{
echo $e->getMessage();
}
}
when I am trying to register it throws me an error:SQLSTATE[HY093]: Invalid parameter number: no parameters were bound. Was looking through the internet for the answers, but didn't find it yet, maybe you, guys , got some ideas?
You should use bindparam(':name', $name) instead of bindparam(':name, $name'). The first argument is a name of parameter slug, and the second argument is a variable you want to bind.
public function Register($uname,$pass,$mail)
{
try
{
$new_password = password_hash($pass, PASSWORD_DEFAULT);
$stmt = $this->db->prepare("INSERT INTO users(username,email,password)
VALUES(:uname, :mail, :pass)");
//note the quotes!
$stmt->bindParam(":uname", $uname);
$stmt->bindParam(":mail", $mail);
$stmt->bindParam(":pass", $new_password);
$stmt->execute();
}
catch (PDOException $e)
{
echo $e->getMessage();
}
}
Related
This question already has answers here:
is php sha256 safe today (may 2019)?
(4 answers)
SHA1 vs md5 vs SHA256: which to use for a PHP login?
(11 answers)
Closed 2 years ago.
just a quick question,
Is this function secure, if not how can I make it more secure?
public function Reg($name, $email, $password)
{
try {
$db=DB();
$state = $db->prepare("INSERT INTO reg (name, email, password) VALUES (:name, :email, :password)");
$state->bindParam("name", $name);
$state->bindParam("email", $email);
$encpass= hash('sha256', $password);
$state->bindParam("password", $encpass, PDO::PARAM_STR);
$state->execute();
return $db->lastInsertId();
} catch (PDOException $e){
exit($e->getMessage());
}
}
As always thanks for any help in advance and its much appreciated for any help you can give
So is this correct
public function Reg($name, $email, $password)
{
try {
$db=DB();
$state = $db->prepare("INSERT INTO reg (name, email, password) VALUES (:name, :email, :password)");
$state->bindParam("name", $name);
$state->bindParam("email", $email);
$hashed_password = password_hash($password, PASSWORD_DEFAULT);
$state->bindParam("password", $hashed_password, PDO::PARAM_STR);
$state->execute();
return $db->lastInsertId();
} catch (PDOException $e){
exit($e->getMessage());
}
}
This is the code of my class, only relevant parts of course:
class User {
public $id;
public function __construct($email, $password, $firstName, $lastName) {
$db = Connection::getInstance();
// check if user exists
$id = User::findUserByEmail($email);
if($id > 0){
// echo "User already exists!";
return -1;
}
// Create new row in users table
$stmt = $db->prepare("INSERT INTO `mapdb`.`user` (`email`, `password`, `firstName`, `lastName`)
VALUES (:email, :password, :firstName, :lastName);");
$stmt->bindParam(':email', $email, PDO::PARAM_STR);
$stmt->bindParam(':password', $password, PDO::PARAM_STR);
$stmt->bindParam(':firstName', $firstName, PDO::PARAM_STR);
$stmt->bindParam(':lastName', $firstName, PDO::PARAM_STR);
$stmt->execute();
// check f user added successfully
$newID = User::findUserByEmail($email);
if($newID > 0){
echo "success, ID = ".$newID;
$this->$id = $newID;
// $this->$email = $email;
// $this->$firstName = $firstName;
// $this->$firstName = $firstName;
} else {
echo "failure";
return -1;
}
}
}
And where I actually call the constructor:
$user = new User($email, $password, $firstName, $lastName);
echo "<br>userid: ".$user->id; // (<-- this doesn't echo correctly)
I cannot get the value from the User object whatever I try.
At the moment I get the following error:
Notice: Undefined variable: id
What could possibly deny me access from the variable?
Problem solved, instead of
$this->$id = $newID;
I should have
$this->id = $newID;
Thank goodness for stackoverflow :D
I have two tables login and users. in table login i have user_id(primary key), username(varchar),password(varchar) and in table users id(primary key),username(varchar),user_id(int)..what i want to happen is that when i insert a record in table login the user_id should be inserted also in user_id in table users..please help me with it..
Here's my code for insertion
public function create($username,$password,$province)
{
try
{
$stmt = $this->db->prepare("INSERT INTO login(username,password,province) VALUES(:username, :password, :province)");
$stmt->bindparam(":username",$username);
$stmt->bindparam(":password",$password);
$stmt->bindparam(":province",$province);
$stmt->execute();
$stmt = $this->db->prepare("INSERT INTO sample(username) VALUES (:username)");
$stmt->bindparam(":username",$username);
$stmt->execute();
return true;
}
catch(PDOException $e)
{
echo $e->getMessage();
return false;
}
}
As of now what i done is inserting a record into tables at the same time..but i'm kinda struggling on how to insert the user_id from table login to user_id in table users..
You should be able to use PDO::lastInsertId -> $this->db->lastInsertId();
public function create($username,$password,$province)
{
try
{
$stmt = $this->db->prepare("INSERT INTO login(username,password,province) VALUES(:username, :password, :province)");
$stmt->bindparam(":username",$username);
$stmt->bindparam(":password",$password);
$stmt->bindparam(":province",$province);
$stmt->execute();
$user_id = $this->db->lastInsertId();
$stmt = $this->db->prepare("INSERT INTO sample(username,user_id) VALUES (:username, :user_id)");
$stmt->bindparam(":user_id",$user_id);
$stmt->bindparam(":username",$username);
$stmt->execute();
return true;
}
catch(PDOException $e)
{
echo $e->getMessage();
return false;
}
}
Alternatively you could do a INSERT ... SELECT ... query,
which would look like -
INSERT INTO sample(username,user_id) SELECT :username, user_id FROM login WHERE username = :username1
so your function would look like -
public function create($username,$password,$province)
{
try
{
$stmt = $this->db->prepare("INSERT INTO login(username,password,province) VALUES(:username, :password, :province)");
$stmt->bindparam(":username",$username);
$stmt->bindparam(":password",$password);
$stmt->bindparam(":province",$province);
$stmt->execute();
$stmt = $this->db->prepare("INSERT INTO sample(username,user_id) SELECT :username, user_id FROM login WHERE username = :username1");
$stmt->bindparam(":username",$username);
$stmt->bindparam(":username1",$username);
$stmt->execute();
return true;
}
catch(PDOException $e)
{
echo $e->getMessage();
return false;
}
}
You can create database trigger like
Create or replace trigger <trigger_name> after insert login ...
In which you on insert of first table you can insert record in another table with same id. You can create trigger as specified
Here
You haven't defined $user_id
make changes to the function like this
public function create($username,$password,$province)
{
try
{
$stmt = $this->db->prepare("INSERT INTO login(username,password,province) VALUES(:username, :password, :province)");
$stmt->bindparam(":username",$username);
$stmt->bindparam(":password",$password);
$stmt->bindparam(":province",$province);
$stmt->execute();
// make changes here create $user_id
$user_id = $this->db->insert_id;
$stmt = $this->db->prepare("INSERT INTO sample(username,user_id) VALUES (:username, :user_id)");
// make changes here in user_id instead of user_i
$stmt->bindparam(":user_id",$user_id);
$stmt->bindparam(":username",$username);
$stmt->execute();
return true;
}
catch(PDOException $e)
{
echo $e->getMessage();
return false;
}
}
I'm trying to create a login system using Slim Jquery and Ajax. I've got the log in part working with minimal issues, now I just need to be able to hash the password. I know I can use md5, sha1 and/or salt to hash but I know that it is recommenced that password_hash is used instead. I know how to hash with any of the other 3 I mentioned because while using bindParam you can just place it around the variable. My question is, how do I use password_hash with bindParam. The closest answer I found on this site didn't do much to help.
My current code is:
$app->post('/addUser/', 'addUser');
function addUser()
{
$request = \Slim\Slim::getInstance()->request();
$q = json_decode($request->getBody());
$sql = "INSERT INTO users(firstName, lastName, userName, password) VALUES (:firstName, :lastName, :userName, :password)";
try{
$dbConnection();
$stmt=$db->prepare($sql);
$stmt->bindParam("firstName", $q->firstName);
$stmt->bindParam("lastName", $q->lastName);
$stmt->bindParam("userName", $q->userName);
$stmt->bindParam("password", $q->password);
$stmt->execute();
$db=null;
}
catch(PDOException $e){
echo $e->getMessage();
}
}
Verify Code:
$app->post('/logIn/', 'lonIn');
function logIn()
{
$request = \Slim\Slim::getInstance()->request();
$q = json_decode($request->getBody());
$sql = "SELECT * FROM users WHERE userName=:userName";
try{
$db = getConnection();
$stmt=$db->prepare($sql);
$stmt->bindParam("userName", $q->userName);
$execute = $stmt->execute();
$db = null;
}
catch(PDOException $e)
{
echo $e->getMessage();
}
if($execute == true)
{
$array = $stmt->fetch(PDO::FETCH_ASSOC);
$hashedPassword = $array['password'];
if(password_verify($q->password), $hashedPassword))
{
echo 'Valid';
}
else
{
echo 'Invalid';
}
}
}
Any help would be appreciated.
To encrypt password you need to create a new variable $hashedPassword which you will store in the db for each user. When verifying the user you will select a user from the db passing their username and using password_verify($passToBeVerified,$ourHashedpasswordfromDb) this will return a boolean.
$app->post('/addUser/', 'addUser');
function addUser() {
$request = \Slim\Slim::getInstance()->request();
$q = json_decode($request->getBody());
$hashedPassword = password_hash($q->password, PASSWORD_BCRYPT);
$sql = "INSERT INTO users(firstName, lastName, userName, password) VALUES (:firstName, :lastName, :userName, :password)";
try {
$dbConnection();
$stmt = $db->prepare($sql);
$stmt->bindParam(":firstName", $q->firstName);
$stmt->bindParam(":lastName", $q->lastName);
$stmt->bindParam(":userName", $q->userName);
$stmt->bindParam(":password", $hashedPassword);
$execute = $stmt->execute();
if ($execute == true) {
$verifyUser = verifyUser($q->password, $q->userName);
if ($verifyUser == TRUE) {
echo 'valid Username and Password';
} else {
echo 'Invalid Username and password';
}
}
$db = null;
} catch (PDOException $e) {
echo $e->getMessage();
}
}
function verifyUser($passWordToVerify, $userNameToVerify) {
// $request = \Slim\Slim::getInstance()->request();
// $q = json_decode($request->getBody());
//Select a user data according to their username
$sql = "select firstName, lastName, userName, password from users where userName = :userName";
try {
$dbConnection();
$stmt = $db->prepare($sql);
$stmt->bindParam(":userName", $userNameToVerify);
$execute = $stmt->execute();
$db = null;
} catch (PDOException $e) {
echo $e->getMessage();
}
if ($execute == True) {
/*
* if the query executes and returs the user saved user details lets now compare
* the password from the db and the password that the user has entered
*/
$array = $stmt->fetch(PDO::FETCH_ASSOC);
$hashedPassword = $array['password'];
if (password_verify($passWordToVerify, $hashedPassword)) {
echo 'Password is valid!';
return true;
} else {
echo 'Invalid password.';
return false;
}
}
}
im going to insane here, why he jump to else and return false all the time.
i dont understand what im doing wrong.
try
{
$query = 'SELECT userID, firstname, surname, email FROM jinx_users WHERE email = :email AND password = :password';
$this->dbh->beginTransaction();
$stmt = $this->dbh->prepare($query);
$stmt->bindParam(':email', $email, PDO::PARAM_STR);
$stmt->bindParam(':password', $password, PDO::PARAM_STR);
$stmt->execute();
if($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
return true;
}else{
return false;
}
$stmt = null;
}
catch (Exception $e)
{
$stmt = null;
$this->dbh->rollback();
exit();
}
The if statement is not a valid statement. Apart from that the Try Catch should be used to check if the database can succesfully be called or params can be set etc. Inside a try/catch you want to avoid return true or false. So with that being said I think what you want is the following:
try {
$query = 'SELECT userID, firstname, surname, email FROM jinx_users WHERE email = :email AND password = :password';
$this->dbh->beginTransaction();
$stmt = $this->dbh->prepare($query);
$stmt->bindParam(':email', $email, PDO::PARAM_STR);
$stmt->bindParam(':password', $password, PDO::PARAM_STR);
$stmt->execute();
} catch (Exception $e) {
var_dump($e->getMessage();
die();
}
if($stmt->fetch(PDO::FETCH_ASSOC)) {
return true;
} else {
return false;
}