I am having trouble checking if a row exists to log someone in.
The password is salted in the db using the password+ the email
I am using PDO.
function is_valid_developer($username, $password)
{
global $db;
$query = 'SELECT COUNT(*) FROM users WHERE username = :username AND password = sha(CONCAT(:password,(SELECT email FROM users WHERE username = :password))) AND developer = true';
$statement = $db->prepare($query);
$statement->bindValue(':username', $username);
$statement->bindValue(':password', $password);
$statement->execute();
$count = $statement->fetchColumn();
if ($count === 1)
{
return TRUE;
}
else
{
return FALSE;
}
}
Your subquery appears to be incorrect (see the WHERE username = :password clause), and will likely never return any results. Further, using the same bound parameter twice is not supported in PDO (you use :password twice). Besides that, you don't actually need a subquery at all; try this query:
SELECT COUNT(*) FROM users
WHERE username = :username
AND password = sha(CONCAT(:password, email))
AND developer;
Further, make sure you call $statement->closeCursor() after your call to $statement->fetchColumn(); leaving PDO statement cursors open after you are done with them may cause the database to fail on all future queries.
Related
$query = $pdo -> prepare("SELECT * FROM Users WHERE Username =:Username");
$query->bindParam(':Username', $name);
$query->execute();
$nameRes = $query->fetch(PDO::FETCH_ASSOC);
if ($nameRes['Username']==$_POST['username']) {
die ("Username is already in use!");
}
$query = $pdo -> prepare("SELECT * FROM Users WHERE Email =:Email");
$query->bindParam(':Email', $email);
$query ->execute();
$emailRes = $query->fetch(PDO::FETCH_ASSOC);
if ($emailRes['Email']==$_POST['email']) {
die ("Email is already in use!");
}
I have this code on the registration page of my app and when Username is free to use but email is not and vice versa I get this
Notice: Trying to access array offset on value of type bool
Ok the result is returning false but what to do in this situation? Note: This is on php v7.4 this same thing was working on v7.3
You are getting this error probably because there were no records found in the database matching your criteria.
The easiest way to solve this error is to check if the database returned anything first.
$emailRes = $query->fetch(PDO::FETCH_ASSOC);
// VVV - Here I am checking if there was anything returned and then I check the condition
if($emailRes && $emailRes['Email']==$_POST['email']) {
// ...
}
If you don't care whether the database returned anything, then you can simply provide a default value. For example:
$emailRes = $query->fetch(PDO::FETCH_ASSOC);
$email = $emailRes['Email'] ?? ''; // default: empty string
The correct way to check for existance in DB using PDO is:
$query = $pdo->prepare("SELECT COUNT(*) FROM Users WHERE Username =:Username");
$query->execute([':Username' => $name]);
if ($query->fetchColumn()) {
throw new \Exception("Username is already in use!");
}
$query = $pdo->prepare("SELECT COUNT(*) FROM Users WHERE Email =:Email");
$query->execute([':Email' => $email]);
if ($query->fetchColumn()) {
throw new \Exception("Email is already in use!");
}
Instead of fetching the row and doing the comparison again in PHP I am fetching a count of matching rows from the database and I use that count as a boolean in the if statement. fetchColumn() will fetch a single column from the first row and if I use COUNT(*) I know there will always be one row.
You can also do it in one query:
$query = $pdo->prepare("SELECT COUNT(*) FROM Users WHERE Username =:Username OR Email =:Email");
$query->execute([':Username' => $name, ':Email' => $email]);
if ($query->fetchColumn()) {
throw new \Exception("Username or email is already in use!");
}
Im creating a webpage for a game server that only had a registration page. All the users has registred and for some dum reason, it saved the password as username:password, so if the username is Meko and password is 1234, the actually password is "Meko:1234" Im now trying to make a login but im not sure how I should check that password. I have this sql query and tried to add $user_username: in front, but it didnt seem to work:
$query = "SELECT * FROM account
WHERE username = '$user_username'
AND sha_pass_hash = '$user_password'";
It needs to be $user_username:$user_password
I hope you can help me :)
If what you have stored in the database is an SHA1 checksum, then that's what you will need to compare.
The details are pretty sketchy.
Assuming that the row was saved into the database as
INSERT INTO `account` (`username`, `sha_pass_hash`, ...
VALUES ('Meko', SHA1('Meko:1234'), ...
Then to check for the existence of that row, given:
$user_username = 'Meko' ;
$user_password = '1234' ;
if those are the values you want to pass into the database query, then
$sql = 'SELECT ...
FROM account a
WHERE a.username = ?
AND a.sha_pass_hash = SHA1( CONCAT( ? ,':', ? )';
$sth = $dbh->prepare($sql);
$sth->bindValue(1,$user_username, PDO::PARAM_STR);
$sth->bindValue(2,$user_username, PDO::PARAM_STR);
$sth->bindValue(3,$user_password, PDO::PARAM_STR);
$sth->execute();
if( $row = $sth->fetch(PDO::FETCH_ASSOC) ) {
// matching row found
} else {
// no matching row found
}
$sth->closeCursor();
If you didn't use the MySQL SHA1 function and used some other function to calculcate the hash, then use that same function when you do the check.
That is, if the row was inserted by a statement of a form more like
INSERT INTO account (username, sha_pass_hash, ... )
VALUES ('Meko','7c4d046a92c441c426ce86f15fa9ecd1fc1fd5f1', ... )
Then to check for the existence of that row, given:
$user_username = 'Meko' ;
$user_password = '1234' ;
Then your query to check for the existence of the row would be something like this:
$sql = 'SELECT ...
FROM account a
WHERE a.username = ?
AND a.sha_pass_hash = ?';
calculate the password hash, the same way as when it was originally done
$user_sha_hash = sha1( $user_username . ':' . $user_password) ;
And prepare and execute the query, passing in the SHA checksum string
$sth = $dbh->prepare($sql);
$sth->bindValue(1, $user_username, PDO::PARAM_STR);
$sth->bindValue(2, $user_sha_hash, PDO::PARAM_STR);
$sth->execute();
if( $row = $sth->fetch(PDO::FETCH_ASSOC) ) {
//
} else {
//
)
$sth->closeCursor();
I think you on php ?
$username = 'Meko';
$user_password = '1234';
$altered_pass = $user_username.':'.$user_password;
if($stmt = mysqli_prepare($con,"select * from account where username = ? and sha_pass_hash = ?") ){
mysqli_stmt_bind_param($stmt,'ss',$user_username,sha1($altered_pass));
mysqli_stmt_execute($stmt);
mysqli_stmt_store_result($stmt);
if(mysqli_stmt_num_rows($stmt)){
//"yup";
}
else{
//"nope";
}
mysqli_stmt_close($stmt);
}
mysqli_close($con);
You do not specify explicitly but assuming that your sha_pass_hash contains a hashed value of the following format: hash(username:password) then hash '$user_username' + ":" + '$user_password' first and then compare it to your password.
$search = $username.":".$password;
$query = "SELECT * FROM account WHERE password = ".$search;
IMPORTANT:
I very much hope you are preparing your statements and binding your parameters to prevent SQL injection attacks. If you are not, let me know and I can help you out in more detail so that your database is secure.
Also, I recommend that you create another table and fill it in with the values inside this account table. The previous answer is a quick fix so that your users can login meanwhile, but by no means should the previous table stay as it is.
Let me know if you need any more help :)
I'm making a login/register system, and I simply cannot figure out why the username entered won't check if there is an existing one in the database.
The email code checks perfectly if there is an existing email but the username goes through even if there is an existing one!
Here is the username code:
$query = $db->prepare("SELECT * FROM `users` WHERE `username`=:username");
$query->bindParam(1, $username, PDO::PARAM_STR);
$count = $query->execute(array(":username" => strip_tags(addslashes($_POST['username']))));
if ($query->rowCount() == 1)
{
$errors[] = "Time to be original! That user already exists!";
}
Here is the WORKING email code:
$query = $db->prepare("SELECT * FROM `users` WHERE `email`=:email");
$count = $query->execute(array(":email" => strip_tags(addslashes($_POST['email']))));
if ($query->rowCount() == 1)
{
$errors[] = "Please pick a new email! That email is taken!";
}
You don't need to call $query->bindParam at all.
I don't think, that it's necessary to call strip_tags and addslashes. PDO will quote all the necessary symbols itself.
Try this:
$query = $db->prepare("SELECT * FROM `users` WHERE `username`=:username");
$count = $query->execute(array(":username" => $_POST['username']));
You are calling bindParam() with an positional index (for an anonymous placeholder), then passing the parameter array to execute(). Choose one approach or the other (and, if using named placeholders, don't use positional indexes).
Hi guys I have a program built using mysql_* and I am trying to convert it to PDO for security and depreciative reasons
So I have a load of mysql_* functions setup like
return select_from_where('users', '*', "username = '$username' AND password = '$pass'", "LIMIT 1");
Which I have converted to PDO
return $conn -> query("SELECT * FROM users WHERE username = '$username' AND password = '$pass' LIMIT 1");
However the program does not feed the right result, I'm not sure if it is even returning data
My question is, do I have to set the PDO response to a variable that I can then use, or is it possible to have it return values which I can use in my program using a similar method to above?
I have included global $conn for each function query so I'm sure it is connecting like it should, its just not feeding the result as intended..
Does anyone have a quick fix for this issue as my program is almost done and is pending release :D
Thanks in advance
Luke
** EDIT LINE *
$sql = ("SELECT * FROM users WHERE username = '$username' AND password = '$pass' LIMIT 1");
$stm = $conn->prepare($sql);
$stm->execute(array($username,$pass)); $user = $stm->fetch(); echo $user['username'];
First, Personally I see no point in having a function like select_from_where
You actually save yourself nothing - you just moved words "SELECT, FROM and WHERE" from query to function name, yet made this function extremely limited - say, no joins or stuff.
Second, PDO::query() function shouldn't be used anyway - it doesn't support prepared statements.
So, the code have to be
global $conn;
$sql = "SELECT * FROM users WHERE username = ? AND password = ? LIMIT 1";
$stm = $conn->prepare($sql);
$stm->execute(array($username,$pass));
return $stm->fetch();
You have to also configure your PHP and PDO in order to be able to see every error occurred.
Change this
return $conn -> query("SELECT * FROM users WHERE username = '$username' AND password = '$pass' LIMIT 1");
to:
$username = 'user';
$password ='password';
$stmt =$conn->prepare("SELECT * FROM users WHERE username = ? AND password = ? LIMIT 1");
$stmt->execute(array($username, $password));
echo $stmt->rowCount();
So I have a login system and I want to retrieve the first name of the person who is logged in. Here's my php:
function verify_Username_and_Pass($un, $pwd) {
$query = "SELECT `First Name`, Username, Password
FROM table
WHERE Username = :un AND Password = :pwd
LIMIT 1";
$stmt = $this->conn->prepare($query);
$stmt->bindParam(':un', $un);
$stmt->bindParam(':pwd', $pwd);
$stmt->execute();
if ($stmt->rowCount() > 0) {
// User exist
return true;
$stmt->close();
}
else {
// User doesn't exist
return false;
$stmt->close();
}
}
this is part of a class who has 1 private variable $conn. The login works perfectly but i just want to get the person's first name. How do I do that?
First off, NEVER grab the password from the database, that is just extremely bad practice.
Second, you only want to accept the user as correct if ONLY one row is returned.
lastly bindColumn is what you're looking for.
<?php
function verify_Username_and_Pass($un, $pwd) {
$query = "SELECT `First Name`, Username
FROM table
WHERE Username = :un AND Password = :pwd";
// Don't limit the query to only one, if there is a chance that you can
// return multiple rows, either your code is incorrect, bad data in the database, etc...
$stmt = $this->conn->prepare($query);
$stmt->bindParam(':un', $un);
$stmt->bindParam(':pwd', $pwd);
$stmt->execute();
// Only assume proper information if you ONLY return 1 row.
// Something is wrong if you return more than one row...
if ($stmt->rowCount() == 1) {
// User exist
$stmt->bindColumn('First Name', $firstName);
$stmt->bindColumn('Username', $username);
// You can now refer to the firstName and username variables.
return true;
$stmt->close();
} else {
// User doesn't exist
return false;
$stmt->close();
}
}
?>
That should work for you.
just change the query statement?
$query = "SELECT `First Name`
FROM table
WHERE Username = :un AND Password = :pwd
LIMIT 1";
if that throws errors, you would have to show more of what the class is doing to manage the db transaction
just change this line, to select only First Name in the query:
$query = "SELECT `First Name`, Username, Password
FROM table
WHERE Username = :un AND Password = :pwd
LIMIT 1";`
to
$query = "SELECT `First Name`
FROM table
WHERE Username = :un AND Password = :pwd
LIMIT 1";`
You need to bind the result as below
if ($stmt->rowCount() > 0) {
$stmt->bind_result($fname, $uname, $pwd);
$stmt->fetch()
echo $fname // here you get firsname
// either you can return this $fname or store into session variable for further
// User exist
return true;
$stmt->close();
}
else {
// User doesn't exist
return false;
$stmt->close();
}
In the section where you are returning true you could instead return the actual user data (and array with data will evaluate to true anyway).
Word of warning, you should use hashed passwords. Do not store the password y plain.