Hello i have a problem with following code on my website:
<?php
session_start();
include '../databaseConnector.php';
$uid = mysqli_real_escape_string($connector, $_POST['uid']);
$pwd = mysqli_real_escape_string($connector, $_POST['pwd']);
$stmt = $connector->prepare("SELECT * FROM nutzer WHERE uid=?");
$stmt->bind_param("s", $username);
$username = $uid;
$stmt->execute();
$result = $stmt->get_result();
$row = mysqli_fetch_assoc($result);
$hash_pw = $row['pwd'];
$dehash = password_verify($pwd, $hash_pw);
if($dehash == 0)
{
header("Location: ../loginscreen.php?error=pwwrong");
exit();
}else{
$stmt2 = $connector->prepare("SELECT * FROM nutzer WHERE uid=? AND pwd=?");
$stmt2->bind_param("ss", $username2, $password2);
$username2 = $uid;
$password2 = $hash_pw;
$stmt2->execute();
$result = $stmt2->get_result();
$stmt->close();
if(!$row =$result->fetch_assoc())
{
echo "Your username or password is incorrect!";
} else{
$_SESSION['id'] = $row['id'];
$_SESSION['uid'] = $row['uid'];
$_SESSION['email'] = $row['email'];
$_SESSION['first'] = $row['first'];
$_SESSION['last'] = $row['last'];
}
header("Location: ../loginscreen.php"); // go to page after signing in
}
The prepared statements work perfectly on XAMPP on my localhost but when i upload them on my webserver there is nothing happening after logging in. It is just a blank screen. My webserver is running on PHP 5.6 if that is important.
Just for anybody who will see this in the future. I saw that my hoster doesn´t support MYSQLnd which is required for the get_result() function. I just wrote it different with fetch() and bind_result(). There are many solution examples in the web.
Related
This question already has answers here:
Checking if mysqli_query returned any values?
(2 answers)
Closed 2 years ago.
Warning: count(): Parameter must be an array or an object that
implements Countable in C:\xampp\htdocs\try\process.php on line 30.
That's what my code says. it seems so fine but when I press edit, this error shows. I don't understand. can someone point me out what happened in line 30?
here is my process.php
<?php
require("1password.php");
$id = 0;
$update = false;
$username='';
$password='';
if (!session_id()) { session_start(); }
$mysqli = new mysqli("localhost","root","","id7508046_isalon") or die(mysqli_error($mysqli));
if(isset($_POST['save'])){
$username = $_POST['username'];
$password = $_POST['password'];
$passwordHash = password_hash($password, PASSWORD_DEFAULT);
$mysqli->query("INSERT INTO isalonusers (username, password) values ('$username', '$passwordHash')") or die($mysqli->error);
$_SESSION['message'] = "New account saved!";
$_SESSION['msg_type'] = "success";
header("location: userlist.php");
}
if(isset($_GET['delete'])){
$id = $_GET['delete'];
$mysqli->query("DELETE FROM isalonusers WHERE user_id=$id") or die($mysqli->error());
$_SESSION['message'] = "User Account Deleted!";
$_SESSION['msg_type'] = "danger";
header("location: userlist.php");
}
if(isset($_GET['edit'])){
$id = $_GET['edit'];
$update = true;
$result = $mysqli->query("SELECT * FROM isalonusers WHERE user_id=$id") or die($mysqli->error());
if(count($result)==1){
$row = $result->fetch_array();
$username = $row['username'];
$password = $row['password'];
}
}
if(isset($_POST['update'])){
$id = $_POST['id'];
$username = $_POST['username'];
$password = $_POST['password'];
$passwordHash = password_hash($password, PASSWORD_DEFAULT);
$mysqli->query("UPDATE isalonusers SET username ='$username', password='$passwordHash' WHERE user_id=$id") or die($mysqli->error());
$_SESSION['message'] = "User Account has been updated!";
$_SESSION['msg_type'] = "warning";
header("location: userlist.php");
}
?>
As a matter of fact, you never need to count anything. This step is just redundant.
If you give it a bit of a thought, you can simply fetch your data first and then use it in the condition. What is much more important, you must use a parameterized query. So the code should be
$stmt = $mysqli->prepare("SELECT * FROM isalonusers WHERE user_id=?");
$stmt->bind_param("i", $id);
$stmt->execute();
$result = $stmt->get_result();
// here goes your problem with "count"
$row = $result->fetch_array(MYSQLI_ASSOC)
if($row) {
$username = $row['username'];
$password = $row['password'];
}
Neither should you use that terrible practice with or die
How about this way with $result->num_rows?
if(isset($_GET['edit'])){
$id = $_GET['edit'];
$update = true;
$result = $mysqli->query("SELECT * FROM isalonusers WHERE user_id=$id") or die($mysqli->error);
if(isset($result->num_rows) && $result->num_rows > 0){
$row = $result->fetch_array(MYSQLI_ASSOC);
$username = $row['username'];
$password = $row['password'];
}
}
See ref.: http://php.net/manual/en/mysqli.query.php
I'm trying to do an execution of a query and see if it goes well, but right now it doesn't enter the IF or ELSE.
I had it on mysqli procedural and all worked flawlessy now I'm trying to change it to object oriented and it won't enter inside if/else.
if(isset($_POST['submit']))
{
$email = $_POST["email"];
$password = md5($_POST["password"]);
$query = "SELECT * FROM Users WHERE Email=? AND Password=?";
$stmt = $conn->prepare($query);
$stmt->bind_param('ss', $email,$password);
$stmt->execute();
$result = $stmt->get_result();
if ($result->num_rows == 1)
{
?>
<script type="text/javascript">
alert("INSIDE");
</script>
<?php
$row = $result->fetch_assoc();
if(isset($_POST['remember']))
{
$_SESSION["remember"] = "1";
}
$_SESSION["username"] = $row['Username'];
$_SESSION['check'] = "1";
$_SESSION['ID'] = $id;
$_SESSION['permission'] = $row['Admin'];
header("Location: dashboard.php");
exit;
}
else
{
?>
<script type="text/javascript">
alert("Credentials Are Wrong!");
</script>
<?php
exit;
}
$stmt->close();
}
Thank you all.
You should be using
$stmt->bind_result($col1, $col2 ...);
and
$result = $stmt->fetch();
in order to access the data from the query, rather than
$conn->query($stmt);
(an example is provided at https://secure.php.net/manual/en/mysqli-stmt.fetch.php). Note that for this to work you will need to specify the column names you want to fetch from the database, rather than using * in your SQL query, and for each column data is fetched from in the query, you should have a variable for in the fetch() parameters, so for example, something as follows should work (note these may not match the names of your database columns):
$email = $_POST["email"];
$password = md5($_POST["password"]);
$stmt = $conn->prepare("SELECT ID, Name FROM Users WHERE Email=? AND Password=?");
$stmt->bind_param('ss', $email, $password);
$stmt->execute();
$stmt->bind_result($id, $name);
$stmt->fetch();
$stmt->close();
echo $id . ': ' . $name;
Updated Answer
You are very close. Use $result = $stmt->get_result(); instead of $result = $stmt->query; to check to see if the query returned a result or not.
$email = $_POST["email"];
$password = md5($_POST["password"]);
$query = "SELECT * FROM Users WHERE Email = ? AND Password = ?";
$stmt = $conn->prepare($query);
$stmt->bind_param('ss', $email, $password);
$stmt->execute();
$result = $stmt->get_result();
if($result->num_rows !== 0){
if(isset($_POST['remember'])){
$_SESSION["remember"] = "1";
}
$_SESSION['check'] = "1";
$_SESSION['ID'] = $row['ID'];
header("Location: dashboard.php");
exit();
}else{
echo
'<script type="text/javascript">
alert("Credentials Are Wrong!");
</script>';
exit();
}
$stmt->close();
As several have already stated in their comments do not use MD5 for password hashes. PHP has it's own built in functions for handling passwords. Please research Password_has() and Password_verify(). Spend the time to research and implement these now instead of later. It will save you time.
I can't get this to work. I am new to working with prepared statements so i i'm kinda 50/50 on what i'm doing.
Upon registration, the password is hashed with password_hash($pass,PASSWORD_DEFAULT)
Now, i'm trying to get my login page to function with this but i dont know where / how to write it with the password_verify()
$username = $_POST['username'];
$password = $_POST['password'];
$sql = "SELECT * FROM users WHERE BINARY username=? AND password=?";
$stmt = $db->prepare($sql);
$stmt->bind_param("ss",$username,$password);
$stmt->execute();
$result = $stmt->get_result();
$num_rows = $result->num_rows;
if($num_rows == 1){
$rows = $result->fetch_assoc();
if(password_verify($password, $rows['password'])){
$_SESSION['loggedin'] = $username;
$_SESSION['country'] = $rows['country'];
$_SESSION['email'] = $rows['email'];
$_SESSION['avatar'] = $rows['u_avatar'];
$_SESSION['is_gm'] = $rows['is_gm'];
$_SESSION['user_lvl'] = $rows['user_lvl'];
$_SESSION['totalposts'] = $rows['post_total'];
$_SESSION['totalcoins'] = $rows['coins_total'];
$_SESSION['totalvotes'] = $rows['vote_total'];
$_SESSION['secquest'] = $rows['sec_quest'];
$_SESSION['secanswer'] = $rows['sec_answer'];
$_SESSION['join_date'] = $rows['join_date'];
header("Location: /index.php");
exit();
}
} else {
echo "<p class='error_msg'>No accounts could be found with the given credentials.</p>";
}
$stmt->free_result();
$stmt->close();
$db->close();
I would assume that the password verify would before if($num_rows == 1) but as i said, i have no idea.
Your query is essentially:
SELECT * FROM users WHERE username=username AND password_hash=plain_text_password
This isn't going to work. If you're relying on PHP password hashing, you can't do a password comparison on the SQL level. Retrieve the password hash from the database then do the password_verify (exclude the password=?) in your WHERE arguments.
here's my code I use on my local "development" server, but unfortunately my remote server doesn't support mysqli native driver - how is it possible to replace mysqli_stmt_get_result();?
CODE:
$query = "SELECT * FROM class WHERE email = ? AND password = ?";
$stmt = mysqli_prepare($connect,$query);
mysqli_stmt_bind_param($stmt,'ss',$nickname,$password);
mysqli_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
$row = mysqli_fetch_assoc($result);
include("year_tester.php");
if(mysqli_num_rows($result) != ""){
$_SESSION['loggedIn'] = true;
$_SESSION['loginName'] = $nickname;
$_SESSION['classIdentify'] = $rocnik.".".$className;
header('Location: index.php');
}
...is it acceptable to rewrite it in PDO? :p
$pdoh=new PDO("mysql:host=127.0.0.1;dbname=testdb;charset=utf8",
$mysqldb_username,$mysqldb_password,
array(PDO::ATTR_ERRMODE=>PDO::ERRMODE_EXCEPTION));
$query = "SELECT * FROM class WHERE email = ? AND password = ?";
//$stmt = mysqli_prepare($connect,$query);
$pdosh=$pdoh->prepare($query);
//mysqli_stmt_bind_param($stmt,'ss',$nickname,$password);
//i feel sorry for the guy writing the garabage collector :(
$pdosh->bindParam(1,$nickname, PDO::PARAM_STR);
$pdosh->bindParam(2,$password, PDO::PARAM_STR);
//mysqli_execute($stmt);
$pdosh->execute(); //using ERRMODE_EXCEPTION right?
//$result = mysqli_stmt_get_result($stmt);
//$row = mysqli_fetch_assoc($result);
$row=$pdosh->fetch();
require("year_tester.php");
if($pdosh->rowCount()>0/*mysqli_num_rows($result) != ""*/){
$_SESSION['loggedIn'] = true;
$_SESSION['loginName'] = $nickname;
$_SESSION['classIdentify'] = $rocnik.".".$className;
header('Location: index.php');
}
i have a php login script which is accessed with a simple form:
<?php
session_start();
try{
$user = 'root';
$pass = null;
$pdo = new PDO('mysql:host=localhost; dbname=divebay;', $user, $pass);
if(isset($_SESSION['loggedin'])){
echo "1"; //already logged in
}
else{
$username = $_POST['username'];
$password = sha1($_POST['password']);
$ucheck = $pdo->prepare('SELECT * FROM user WHERE username = ?');
$ucheck->bindValue(1, $username);
$ucheck->execute();
if($ucheck->fetch(PDO::FETCH_OBJ)){
$stmt = $pdo->prepare('SELECT * FROM user WHERE username = ? AND password = ?');
$stmt->bindValue(1, $username);
$stmt->bindValue(2, $password);
if($stmt->fetch(PDO::FETCH_OBJ)){
$row = $stmt->fetch(PDO::FETCH_ASSOC);
$_SESSION['username'] = $row['username'];
$_SESSION['loggedin'] = 'YES';
$_SESSION['location'] = $row['location'];
echo "2"; //logged in
}
else{
echo "3"; //password incorrect
}
}
else{
echo "4"; //user does not exist
}
}
}catch(PDOException $e){
echo $e->getMessage();
}
?>
but when i attempt to run it using an account that i just created and have confirmed to exist within the database, i get no response from this script. i would expect it to echo 2 given that the login information is correct, but i get nothing
can anyone suggest what ive done wrong here?
It looks like you forgot to execute() the statement:
if($ucheck->fetch(PDO::FETCH_OBJ)){
$stmt = $pdo->prepare('SELECT * FROM user WHERE username = ? AND password = ?');
$stmt->bindValue(1, $username);
$stmt->bindValue(2, $password);
// Execute it!!!
if ($stmt->execute()) {
$row = $stmt->fetch(PDO::FETCH_OBJ);
if ($row) {
// And don't call fetch() again, since you would already have advanced
// the record pointer in the first fetch() above. If one record was returned,
// this one would always be FALSE.
//$row = $stmt->fetch(PDO::FETCH_ASSOC);
$_SESSION['username'] = $row['username'];
$_SESSION['loggedin'] = 'YES';
$_SESSION['location'] = $row['location'];
echo "2"; //logged in
}
// else execute failed...
}
are you sure session.use_cookies = 1 in php.ini?
please make sure have name is PHPSESSION cookie.