Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 6 years ago.
Improve this question
I'm trying to implement a basic login functionality on my website. I'm using the following code to fetch data from database and see if the username and password is correct or not:
$STH = $conn->prepare("SELECT * FROM users WHERE uid = '$uid'");
$STH->bindParam(':uid', $uid);
$STH->bindParam(':pass', $pass);
$uid = $_POST['uid'];
$pass = $_POST['pass'];
if($STH->execute()) {
if($row = $STH->fetch()) {
if ($row['pass'] == $pass) {
echo "Logged in Successfully <br>";
} else {
echo "Username or Password Incorrect<br>";
}
} else {
echo "<script>alert('Incorrect Username');</script>";
}
}
}
However, I keep getting the error Incorrect Username even though it is in the database. This means that there is something wrong with how I'm fetching the data after executing the query but I can't understand what exactly.
I was using the prepared statements incorrectly. I wasn't really binding anything in the query. The correct implementation would have been:
$STH = $conn->prepare("SELECT * FROM users WHERE uid = :uid");
Related
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 7 years ago.
Improve this question
I have login form and I post data in edit.php but I want SELECT if username = username login. if not echo error.
my code is here :
require_once "../../connect.php";
if($_POST){
$username = $_POST["username"];
$password = $_POST["password"];
$query = $db->query("SELECT * FROM usersWHERE username = $username password = $password");
if($query){
echo "successfull";
}else{
echo "no";
}
}
your missing the AND
$query = $db->query("SELECT * FROM users WHERE username = $username AND password = $password");
^^^
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 7 years ago.
Improve this question
The assignment is to create a login system secured for SQL injections and XSS.
It's in PHP and i'm using PDO with prepared statements obviously. Which from my point of view should protect againts the simplest injections at least. The ones I'm throwing at the system are ineffectual.
If you believe it's not secure againts SQL injection I would gladly take comments and an example of what should work against it.
With regards to XSS I haven't done anything to protect againts it yet. From the school I believe it was mostly about html or url-encode the inputs. But would that be enough? From google I also have some articles about sql escaping.
So again, comments or help on XSS protection could be nice, or is it only a matter of escaping the inputs before it reaches the sql query?
The code:
function Log_in($username, $password) {
$db = new PDO("host;dbname", "user", "password");
$login = $db -> prepare("SELECT * FROM Users WHERE Username =:username and Password =:password");
$login->bindValue(':username', $username, PDO::PARAM_STR);
$login->bindValue(':password', $password, PDO::PARAM_STR);
$login->execute();
global $count;
$count = $login->rowCount();
global $data;
$data=$login->fetchColumn(2);
return $count;
return $data;
}
$username = trim($_POST["username"]);
$password = trim($_POST["password"]);
if (isset($_POST['submit'])) {
getSalt($username);
foreach ($rowset as $row) {
$salt = $row[0];
}
$hashpassword = sha1($password.$salt);
Log_in($username, $hashpassword);
if($count==1){
session_start();
$_SESSION['email'] = $data;
header("location:index.php");
} else {
echo "Wrong";
}
}
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 8 years ago.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Improve this question
I have a problem with my code. I want to make a Seesion which display the current login user
Thank you !
$link = mysql_connect($DB_server, $DB_user, $DB_password,$DB_name);
mysql_select_db('linux', $link) or die(mysql_error());
$uid = 0;
if(isset($_GET["id"]))
{
$uid = $_GET["id"];
}
$profilname = mysql_query("SELECT U_Benutzername ,U_ID FROM u_user WHERE U_ID = '$uid'");
$emailadresse =mysql_query("SELECT U_login ,U_ID FROM u_user WHERE U_ID = '$uid'");
$_SESSION['profilname'] = $profilname;
$_SESSION['email'] =$emailadresse;
echo "Benutzername: $profilname";
echo "<br/>";
echo "Email: $profilname";
You have a typo...
$lid = $_GET["id"];
should probably be
$uid = $_GET["id"];
change your mysql query to:
if($uid!=0) {
$ref = mysql_query("SELECT * FROM u_user WHERE U_ID = '$uid'");
$row = mysql_fetch_array($ref);
$profilname = $row["U_Benutzername"];
$emailadresse= $row["U_login"];
$_SESSION['profilname'] = $profilname;
$_SESSION['email'] =$emailadresse;
}
to display it:
echo $_SESSION['profilname'];
BUT:
You wont get far with this, this is mysql_-code and its deprecated.
You have to use mysqli in newer PHP-Versions.
http://php.net/manual/de/book.mysqli.php
Change $lid = $_GET["id"]; to $uid = $_GET["id"];, and it also is a good idea to sanitize the data from $_GET,
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 8 years ago.
Improve this question
I made a webapp and I need to let the users change their password, so I made a column with temporary code. The thing is, my query does update my temporary code but won't update the password to the new password. Please some help, thanks in advance! ;)
<?php
if(isset($_POST['submit'])) {
$code = $_SESSION['code'];
$email = $_SESSION['emailneger'];
$password = $_POST['password2'];
$password1 = $_POST['password3'];
$reset = $_POST['reset'];
$tempcode = "";
if($reset == $reset) {
if($password == $password1) {
$query = "UPDATE consultant SET password = ?
AND tempcode = ?
WHERE email = ? ";
$qry=$db->prepare($query);
$qry->execute(array($password, $code, $email));
echo "<p>Uw wachtwoord is hersteld!</p>";
$query = 'UPDATE consultant SET tempcode = ? WHERE email = ?';
$qry=$db->prepare($query);
$qry->execute(array($tempcode, $email));
} else {
echo "<p>Wachtwoorden komen niet overeen.</p>";
}
} else {
echo "<p>Je link is ongeldig, probeer nogmaals alstublieft!</p>";
}
}
?>
Your update is incorrect. The syntax is
UPDATE yourtable SET field1=value1, field2=value, ...
^---
Note the , between the field/value pairs. You're using AND, which will be parsed/executed as
UPDATE consultant SET password = (? AND tempcode = ?) WHERE email = ?
UPDATE consultant SET password = ('foo' AND tempcode=123) WHERE email = 'foo#example.com')
UPDATE consultant SET password = ('foo' AND true/false) WHERE ...
UPDATE consultant SET password = true/false WHERE ...
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
So I have a php authentication script and everything works fine. But I'm very unsure about the way I programmed it (I hardcoded some stuff) and I was hoping stack could look through this and point out any potential problems.
Here is the script:
<?php
require_once 'Bcrypt.php';
class Mysql {
private $conn;
function __construct() {
$this->conn = new PDO('mysql:host=***;dbname=***;charset=UTF-8','***','***') or
die('There was a problem connecting to the database.');
}
function verify_Username_and_Pass($un, $pwd) {
ini_set('display_errors', 'On');
error_reporting(E_ALL | E_STRICT);
$query = "SELECT *
FROM Conference
WHERE Username = :un";
$stmt = $this->conn->prepare($query);
$stmt->bindParam(':un', $un);
//$stmt->bindParam(':pwd', $pwd);
$stmt->execute();
$row = $stmt->fetchAll();
$hash = $row[0]["Password"];
$is_correct = Bcrypt::check($pwd, $hash);
if ($is_correct) {
// User exist
$firstName = $row[0]["First Name"];
$_SESSION["FirstName"] = $firstName;
return true;
$stmt->close();
}
else {
// User doesn't exist
return false;
$stmt->close();
}
}
}
?>
So how does it look?
Without testing it out, i think your code should work, the usage of BCrypt looks reasonable. There are some points that could be improved of course, some are maybe a matter of opinion.
If your query doesn't return any row (because no such user name exists), you would access an invalid index $row[0]["Password"]. You should first ask, if there is a result, before using it.
Your call for closing the database is placed after the return statement, so it will never be executed. PHP will close the database automatically, so either close it before the return statement, or remove the line.
You named your function verify_username_and_password(), but actually it does also read from the database and writes to the session. These are hidden activities, another developer cannot know that the session changes unless he reads the whole code. One possibility to solve this problem would be, to split up the function.
untested example:
$userRow = getUserRowFromDatabase($userName);
if (!is_null($userRow))
{
if (verifyPassword($password, $userRow["Password"]))
{
addLoggedInUserToSession($userRow["First Name"])
}
}
Each of these three functions have only one problem to solve. This would make your code more readable, ideally it should be like reading a story in a book.
Hope i could give you some ideas.
You can actually use mysql to verify the hash for you
SELECT COUNT(*) FROM Conference
WHERE Username = :un
AND Password = ENCRYPT(:pass, Password)
LIMIT 1