i just want to know if this is possible. Establishing connection without using the doctrine setup.
private function userExist($username){
$con = Doctrine_Manager::getInstance()->getConnection('doctrine');
$sql = 'SELECT username FROM tbl_user WHERE username =\''.$username.'\'';
$stmt = $con->prepare($sql);
$stmt->execute();
//$result = $stmt->fetchAll(PDO::FETCH_ASSOC);
$result = $stmt->fetchAll();
if(!empty($result)){
return true;
}else{
return false;
}
}
to
private function userExist($username){
$con = new PDO('pgsql:host=xx.xxx.xxx;dbname=support_tool','xx','xxx');
$sql = 'SELECT username FROM tbl_user WHERE username =\''.$username.'\'';
$stmt = $con->prepare($sql);
$stmt->execute();
//$result = $stmt->fetchAll(PDO::FETCH_ASSOC);
$result = $stmt->fetchAll();
if(!empty($result)){
return true;
}else{
return false;
}
}
i just want to test it if it is possible. if not please tell me why, thanks for the help.
Related
i am new to this so dont be rude :D
I have 3 file: database.php, init.php and user.php
Here the init.php:
<?php
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);
session_start();
require 'database.php';
require 'functions/user.php';
$errors = array();
Here the database.php:
<?php
$db_host = "localhost";
$db_name = "xxxx";
$db_user = "xxxx";
$db_pw = "xxxx";
try {
$conn = new PDO("mysql:host=$db_host;dbname=$db_name;", $db_user, $db_pw);
} catch(PDOException $e) {
die("Verbindung fehlgeschlagen: " . $e->getMessage());
}
And here the user.php:
<?php
function userExists($user) {
$sql = "SELECT * FROM user WHERE email = :email";
$stmt = $conn->prepare($sql);
$stmt->bindParam(':email', $user);
$stmt->execute();
$results = $stmt->fetch(PDO::FETCH_ASSOC);
if(count($results) > 0) return true;
return false;
}
So the error message:
Notice: Undefined variable: conn in /mnt/web109/b2/35/57848035/htdocs/includes/functions/user.php on line 4 Fatal error: Call to a member function prepare() on null in /mnt/web109/b2/35/57848035/htdocs/includes/functions/user.php on line 4
The function userExists() is called in another file named login.php. In login.php i have already required init.php. The error message appears when i want to login.
So i hope you can help me.
Thx
$conn is not available in your function since it is in a different scope. Pass it as a parameter or declare it as a global variable.
function userExists($user, $conn){
// ...
}
or
function userExists($user){
global $conn;
// ...
}
In your userExists function you are calling $conn variable which isn't global scope (Give a small look here)..
You can use one of these:
function userExists($user, $conn){
$sql = "SELECT * FROM user WHERE email = :email";
$stmt = $conn->prepare($sql);
$stmt->bindParam(':email', $user);
$stmt->execute();
$results = $stmt->fetch(PDO::FETCH_ASSOC);
if(count($results) > 0) return true;
return false;
}
OR
function userExists($user){
global $conn; //<--- bad practi
$sql = "SELECT * FROM user WHERE email = :email";
$stmt = $conn->prepare($sql);
$stmt->bindParam(':email', $user);
$stmt->execute();
$results = $stmt->fetch(PDO::FETCH_ASSOC);
if(count($results) > 0) return true;
return false;
}
OR
use of $GLOBALS variable
function userExists($user){
$sql = "SELECT * FROM user WHERE email = :email";
$stmt = $GLOBALS['conn']->prepare($sql);
$stmt->bindParam(':email', $user);
$stmt->execute();
$results = $stmt->fetch(PDO::FETCH_ASSOC);
if(count($results) > 0) return true;
return false;
}
I want to CRUD using PDO Connection
I know how to create insert update and delete using msql_query() but I have no idea how to do that with PDO Connection.
Below is the example of that
class connection{
public $cnn;
public function __construct(){
$host = 'localhost';
$db_name = "db_name";
$username = "db_username";
$password = "db_password";
try {
$this->cnn = new PDO("mysql:host={$host};dbname={$db_name}", $username, $password);
} catch (PDOException $e) {
echo 'Connection failed: ' . $e->getMessage();
}
}
public function select($query){ //this function is created for get data
$result = $this->cnn->query($query);
return $result->fetchAll(PDO::FETCH_ASSOC);
}
public function insert($query){ //this function is created for insert data. it will be return last inserted id.
$this->cnn->exec($query);
return $this->cnn->lastInsertId();
}
public function update($query){ //this function is created for update data and it will be return effected rows (which are updated)
return $this->cnn->exec($query);
}
public function delete($query){ // this function is use to delete data.
return $this->cnn->exec($query);
}
}
$action = new connection;
$result = $action->select("select * from table_name");
print_r($result);
$result = $action->insert("insert into table_name set column_1 = 'first_value', column_2='second_value'");
$result = $action->update("update table_name set column_1 = 'first_value', column_2='second_value' where id=1");
$result = $action->delete("delete from table_name where id=1");
Maybe this is an easier way to do it. now the only thing you have to do is call the functions. Enjoy (:
<?php
$host = "localhost";
$user = "root";
$password = "";
$database = "database";
$pdo = new PDO("mysql:host=$host;dbname=$database", $user, $password);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
function updateuser($pdo, $username, $password, $id){
$sql = "UPDATE users SET username=?, password=? WHERE id=?";
$stmt= $pdo->prepare($sql);
$stmt->execute([$username, $password, $id]);
}
function deleteuser($pdo, $id){
$sql = 'DELETE FROM users WHERE id = ?';
$statement = $pdo->prepare($sql);
$statement->execute([$id]);
}
function createuser($pdo, $username, $password){
$sql = "INSERT INTO users (username, password) VALUES (?,?)";
$stmt= $pdo->prepare($sql);
$stmt->execute([$username, $password]);
}
function readuser($pdo, $id){
$sql = "SELECT id, username FROM users WHERE id=?";
$statement = $pdo->prepare($sql);
$statement->execute([$id]);
return $statement->fetchAll(PDO::FETCH_ASSOC);
}
i got the following code:
public function getUserByNameAndPassword($name, $password) {
$stmt = $this->conn->prepare("SELECT salt FROM `users` WHERE name = ?");
$stmt->bind_param("s", $name);
if ($stmt->execute()) {
$stmt->store_result();
$salt = $stmt->get_result();
}
$encryptedpassword = $this->checkhashSSHA($salt,$password);
$stmt = $this->conn->prepare("SELECT * FROM `users` WHERE name = ? AND encrypted_password = ?");
$stmt->bind_param("ss", $name, $encryptedpassword);
if ($stmt->execute()) {
$user = $stmt->get_result()->fetch_assoc();
$stmt->close();
return $user;
}
else {
return false;
}
}
And the following constructor:
// constructor
function __construct() {
require_once 'DB_Connect.php';
// connecting to database
$db = new Db_Connect();
$this->conn = $db->connect();
}
I'm trying to get user from datebase but it is not working at all, i already tried many things, checked my syntax multiple times but i can't find my mistake. Anybody has an idea?
Edit: Changed code and added log but the log doesent report anything.
How To Fix SQL Injection in this code?
Thanks
function safeQuery($query) {
$db = new SQLite3(dirname(__FILE__) . "/private/database.db") or die ("Unable to open database");
SQLite3::escapeString($query);
$result = $db->query($query);
$row = $result->fetchArray();
$db->close();
return $row;
}
function areUserAndPasswordValid($user, $password) {
$query = "SELECT count(*) FROM userTable WHERE username = '$user' AND password = '$password'";
$row = safeQuery($query);
$count = $row[0];
return $count > 0;
}
function getFileList($user) {
$query = "SELECT fileId, filename, createdBy, owner FROM filesTable WHERE owner = '$user'";
$db = new SQLite3(dirname(__FILE__) . "/private/database.db") or die ("Unable to open database");
$result = $db->query($query) or die ("Unable to execute query");
$rows = array();
while($row=$result->fetchArray()){
$rows[] = $row;
}
$db->close();
return $rows;
}
You should always use prepared statements rather than directly passing user input into your query.
Replace SELECT count(*) FROM userTable WHERE username = '$user' AND password = '$password' with something like this:
$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);
(That code snippet taken from http://php.net/manual/en/pdo.prepared-statements.php)
Prepared statements will prevent users from injecting SQL.
See How can I prevent SQL injection in PHP? for a bunch of other useful answers.
That one always returns a false bool:
<?php
function check($username, $db_conx) {
$sql = 'SELECT User_ID FROM tbl_user WHERE Username=?';
$stmt = $db_conx->prepare($sql);
$stmt->bind_param('s', $username);
$stmt->execute();
$ret= $stmt->get_result();
$stmt->close();
$db_conx->close();
$ret = $ret->fetch_row();
return $ret;
}
$usr = "root";
$res = check($u,$db_conx);
echo var_dump($res);
echo $a[0];
?>
I don't get it, they are pretty equal - so what's the error?
That one returns what I expected:
<?php
$usr = 'root';
$sql = "SELECT User_ID FROM tbl_user WHERE Username=?";
$stmt = $db_conx->prepare($sql);
$stmt->bind_param('s', $usr);
$stmt->execute();
$ret = $stmt->get_result();
$stmt->close();
$db_conx->close();
$ret = $ret->fetch_row();
echo var_dump($ret);
echo $ret[0];
?>
I want to recycle it over and over again with the function, but it doesn't seem to work. Is it even possible to set & execute the parameters in a function or have I just made a stupid mistake?