We Keep Coding

Php MySql Select count with prepared statment return always 1

I'm using this method to get make a login Web Service:
function redeem() {
if (isset($_POST["user"]) && isset($_POST["pass"]) && isset($_POST["computer"])) {
$user = $_POST['user'];
$pass = $_POST['pass'];
$computer = $_POST['computer'];
$galNumb = "SELECT COUNT(*) FROM Useres WHERE username = ? AND password = ?";
$stmt = $this->db->prepare($galNumb);
$stmt->bind_param('ss', $user, $pass);
$gNumb = $stmt->execute();
$result = array(
"success" => "true",
);
$this->sendResponse(200, $gNumb);
return true;
}
$this->sendResponse(400, 'Invalid request');
return false;
}
The problem is that $gNumb always return 1 even when the sql table not contain the username and the password. Any idea what can be the problem?

You forgot to fetch results:
...
$stmt->bind_param('ss', $user, $pass);
if ($stmt->execute()) {
$stmt->bind_result($gNumb);
$stmt->fetch();
} else {
$gNumb = 0;
}
...

REST Api can't read my request

I'm using slim for my framework and whenever I test it on Postman the the php cant read the parameters but when i convert it to md5 the php now can read the request. What could be my problem. The server is sending me null. Here is my code
DBOperations.php
//Method for user login
function userLogin($userName, $userPassword)
{
$password = md5($userPassword);
$stmt = $this->con->prepare("SELECT userID FROM users WHERE userName = ? AND userPassword = ?");
$stmt->bind_param("ss", $userName, $password);
$stmt->execute();
$stmt->store_result();
return $stmt->num_rows > 0;
}
index.php
//user login route
$app->post('/login', function (Request $request, Response $response) {
if (isTheseParametersAvailable(array('userName', 'userPassword'))) {
$requestData = $request->getParsedBody();
$userName = $requestData['userName'];
$userPassword = $requestData['userPassword'];
$password = md5($userPassword);
$db = new DbOperation();
$responseData = array();
if ($db->userLogin($userName, $userPassword)) {
$responseData['error'] = false;
$responseData['username'] = $db->getByUserName($userName);
} else {
$responseData['error'] = true;
$responseData['message'] = $password;
}
$response->getBody()->write(json_encode($responseData));
}
});
When the password is md5
{"error":true,"message":"d41d8cd98f00b204e9800998ecf8427e"}
When the password is not
{"error":true,"message":null}

You should do something like this
function userLogin($userName, $userPassword)
{
$stmt = $this->con->prepare("SELECT userID, password FROM users WHERE userName = ?");
$stmt->bind_param("s", $userName);
$stmt->execute();
$stmt->store_result();
$stmt->bind_result( $userID , $password);
$result = $stmt->fetch();
if( password_verify($userPassword, $password)){
return true;
}
return false;
}
I don't use Mysqli, so I hope I got that part right.
The important thing is that you should not use the password as part of the WHERE clause. There are several reasons for this
your relying on getting a result instead of checking the result against input data. If there is a problem with your query it could allow logins when it shouldn't
your not checking the password using a secure method designed for doing it.
Etc.
You should use
password_hash
And
password_verify

Can't verify hashed password

I have this php login function that doesn't seem to work with a hashed password in my database.
Where var_dump is, it return both values of the hashed password and the member id.
If I move the var_dump after the second if, it will not return anything. Any suggestions?
public function logIn($id, $password)
{
$stmt = $this->link->prepare("SELECT member_id, member_first_name, member_password FROM members WHERE member_id = ? ");
$stmt->bind_param('i', $id);
if ($stmt->execute())
{
$result = $stmt->get_result();
while($row = $result->fetch_array(MYSQLI_ASSOC))
{
$dbMember_id = $row['member_id'];
$dbMember_first_name = $row['member_first_name'];
$dbpassword = $row['member_password'];
}
if($id == $dbMember_id)
{
var_dump($dbpassword);
var_dump($dbMember_id);
if(password_verify($password,$dbpassword))
{
session_start();
$_SESSION['session_member_first_name'] = $dbMember_first_name;
$_SESSION['session_member_id'] = $dbMember_id;
$_SESSION['last_acted_on'] = time();
}
}
}
}
Thanks

Prepared statement for login function PHP

I am trying to write a parametrised login function in PHP.
The function should get the $id and $pass bind and execute statement and return an associative array from the database with $id, $password, $user_first_name.
Checking for user id and password validation, if true the session should start and set the session with the username from the database.
For some reason I can't get this working. Any suggestions?
Thanks!
public function logIn($id, $password)
{
$stmt = $this->link->prepare("SELECT user_id, user_name, user_password FROM Users WHERE user_id = ? ");
$stms->bind_param('i', $user_id);
if ($stmt->execute())
{
$result = $stmt->get_result();
while($row = $result->fetch_array(MYSQLI_ASSOC))
{
$dbuser_id = $row['user_id'];
$dbpassword = $row['user_password'];
$dbuser_first_name = $row['user_first_name'];
}
if($id == $dbuser_id and $password == $dbpassword)
{
session_start();
$_SESSION['session_user_first_name'] = $dbuser_first_name;
}
else
{
session_unset();
echo "Credentials do not match";
}
}
}

You have
$stms->bind_param('i', $user_id);
But your function signature is:
public function logIn($id, $password)
So you probably want:
$stms->bind_param('i', $id);

Have a look at $stms->bind_param('i', $user_id);:
stms should be stmt
$user_id should be $id
...

PDO: How to make checks

I create this class but i'm newbie in PHP OOP & PDO and i don't know how and where i must to make check to username is valid , email is valid and e.t.c..
This is my code
Class Users {
private $db;
public function __construct(Database $datebase) {
if (!$database instanceOf Database) {
throw new Exeption();
}
$this->db = $datebase;
}
public function userRegistration($username, $password, $email) {
$username = $_POST['username'];
$password = $_POST['password'];
$email = $_POST['email'];
$regdate = date('d.m.Y');
$query = $this->db->prepare("INSERT INTO `users` (`username`, `password`, `email`, `regdate`) VALUES (?, ?, ?, ?) ");
$query->bindValue(1, $username);
$query->bindValue(2, $password);
$query->bindValue(3, $email);
$query->bindValue(4, $regdate);
return ($query->execute()) ? true : false ;
}
}

If you want to check something, use Respect/Validation. For example:
$usernameValidator = v::alnum()->noWhitespace()->length(1,15);
$usernameValidator->validate($_POST['username']); //true or false
$passwordValidator = v::alnum()->length(10, null);
$passwordValidator->validate($_POST['password']); //true or false
v::email()->validate($_POST['email']); //true or false

To check if the username or email exist in your database you can use SQL to search the email or username.
$query = $this->db->prepare("SELECT * FROM users WHERE email = ? ");
$query->bindValue(1, $email);
If the query returns a value than the email or username already exist in your database. From there you can show your own validation.

To check check if user or email exist you don't need another class, just add another method called userExist or emailExist and run a query and then check if you get a result.
public function emailExist($email){
$query = $this->db->prepare("SELECT * FROM users WHERE email = ? ");
$query->bindValue(1, $email);
try{
$query->execute();
//use the if statement and $query->rowCount() to check if there is a result
$rows = $query->rowCount();
if($rows === 1){
return true;
} else {
return false;
}
}catch (PDOException $e) {
die($e->getMessage());
}
}