I just to need make sure I've got the PDO prepare statements correctly, will the following code be secured by SQL Injection?
$data['username'] = $username;
$data['password'] = $password;
$data['salt'] = $this->generate_salt();
$data['email'] = $email;
$sth = $this->db->prepare("INSERT INTO `user` (username, password, salt, email, created) VALUES (:username, :password, :salt, :email, NOW())");
$sth->execute($data);
Yes, your code is safe. It can be shortened however:
$data = array( $username, $password, $this->generate_salt(), $email );
// If you don't want to do anything with the returned value:
$this->db->prepare("
INSERT INTO `user` (username, password, salt, email, created)
VALUES (?, ?, ?, ?, NOW())
")->execute($data);
You could start with an empty array for your $data like
// start with an fresh array for data
$data = array();
// imagine your code here
Your code looks good so far.
EDIT: I missed your NOW() call. Imho you should add it with a bind variable as well, like
// bind date
$data['created'] = date("Y-m-d H:i:s");
// updated prepare statement
$sth = $this->db->prepare("INSERT INTO `user` (username, password, salt, email, created) VALUES (:username, :password, :salt, :email, :created)");
Related
It registers the user successfully. But when I check it on my database, all of the values are 0s. What's the problem?
here's the function code:
public function insertUser($email, $firstName, $lastName, $encryptedPassword, $salt)
{
//SQL language - command to insert data
$sql = "INSERT INTO users (email, firstName, lastName, password, salt) VALUES (email=?, firstName=?, lastName=?, password=?, salt=?)";
//preparing SQL for execution by checking the validity
$statement = $this->conn->prepare($sql);
//if error
if (!$statement)
{
throw new Exception(($statement->error));
}
//assigning variables instead of '?', after checking the preparation and validity of the SQL command
$statement->bind_param('sssss', $email, $firstName, $lastName, $encryptedPassword, $salt);
//result will store the status/result of the execution of SQL command
$result = $statement->execute();
return $result;
}
The parameters for the function get set with the correct values when called, I tested it
I'm pretty new to PHP. If i correct my function, it doesn't create a new user. It doesn't even print out anything in the browser window. Here's the piece of code that calls this one (maybe it helps you with finding the solution):
$result = $access->insertUser($email, $firstName, $lastName, $encryptedPassword, $salt);
//result is positive
if ($result)
{
//throw back the user details
$return['status'] = '200';
$return['message'] = 'Successfully registered';
$return['email'] = $email;
$return['firstName'] = $firstName;
$return['lastName'] = $lastName;
echo json_encode($return);
$access->disconnect();
}
Your query is wrong.
//columns are declared here
$sql = "INSERT INTO users (email, firstName, lastName, password, salt) VALUES (email=?, firstName=?, lastName=?, password=?, salt=?)";
//you do not need to declare your columns again
Simple change your query to
$sql = "INSERT INTO users (email, firstName, lastName, password, salt) VALUES (?, ?, ?, ?, ?)";
Also, it appears as though you are storing your password and the salt separately, that tells me you are rolling your own hashing algorithm, there isn't really a need for this. I would remove your salt column, and use password_hash() for your password column.
remove the column=?
$sql = "INSERT INTO users (email, firstName, lastName, password, salt) VALUES (?, ?, ?, ?, ?)";
the code
column=?
in your value assignment is evalued as boolean condition that return false (0)
I'm writing PHP code to send user input to the database. And http://fwtest.ga/register.php is my URL. every time I click the URL or check the JSON data in JSONLint website I get "mysqli_stmt_bind_param(): "Number of variables doesn't match a number of parameters in prepared statement" here is Mycode
<?php
$con = mysqli_connect("hostname", "username", "password", "dbname");
$first_name = $_POST["first_name"];
$last_name = $_POST["last_name"];
$email = $_POST["email"];
$password = $_POST["password"];
$user_id = $_POST["user_id"];
$statement = mysqli_prepare($con, "INSERT INTO `user` (first_name, last_name, email, password) VALUES
('$first_name', '$last_name', '$email', '$password')");
mysqli_stmt_bind_param($statement, 'ssss', $first_name, $last_name, $email, $password);
mysqli_stmt_execute($statement);
$response = array();
$response["success"] = true;
echo json_encode($response);
?>
You are injecting the params and you are preparing the query at the same time, use ? to tell mysql where to place the data,remove the variables from the sql string
$statement = mysqli_prepare($con, "INSERT INTO `user` (first_name, last_name, email, password) VALUES
(?, ?, ?, ?)");
I declared the five variables after a $con, and use only four of them mysqli_prepare function. Now it's working.
I'm making a registration form and I am using PHP bind parameters when inserting data into the database.
$fnameclean = mysqli_real_escape_string($mysqli_conn, $_POST['first_name']);
$passwordclean = mysqli_real_escape_string($mysqli_conn, hash("sha512", $_POST['password']));
$lnameclean = mysqli_real_escape_string($mysqli_conn, $_POST['last_name']);
$emailclean= mysqli_real_escape_string($mysqli_conn, $_POST['email']);
$stmt = $mysqli_conn->prepare("INSERT INTO user (firstname, surname, email, password) VALUES ('?', '?', '?', '?')");
$stmt->bind_param("ssss", $fnameclean, $lnameclean, $emailclean, $passwordclean);
$stmt->execute();
$stmt->close();
When I press the submit button, all I can see in my database are question marks in the fields: firstname, surname, email and password.
However, when I try to add information to the database without bind parameters it works perfectly fine
code:
$query1 = "INSERT INTO user (firstname, surname, email, password) VALUES ('$fnameclean', '$lnameclean', '$emailclean', '$passwordclean')";
$mysqli_conn->query($query1);
What am I doing wrong here?
VALUES (?, ?, ?, ?)
No ' to be used in query where you use ? for binding parameter. So your query should be like
$stmt = $mysqli_conn->prepare("INSERT INTO user (firstname, surname, email, password) VALUES (?, ?, ?, ?)");
I'm trying to insert data which a user has filled out (register form) I am having issue, with it not inserting the data, and at the same time giving me NO error or reason why, I have checked my logs and everything, nothing seems to be wrong. But my query isn't executed.
/* IN THIS FUNCTION WE REGISTER THE USER, WE CREATE A SALT, INSERT THAT SALT KEY INTO SALTS TABLE, THEN GET THE ID AND USE THAT ID IN PASSYSTEM TABLE WHERE WE STORE THE PASSWORD AND THE SALT ID THE MEMBER DATA IS STORED IN MEMBERS TABLE*/
$data = $_POST;
print_r($data);
$salt = $this->gen_salt();
$password = hash('sha512', $salt.$data['password'].$salt, FALSE);
print $password;
$membersql = "INSERT INTO member (`firstname`,`lastname`,`email`,`gender`) VALUES (:firstname, :lastname, :email, :gender)";
$memberquery = $db->prepare($membersql);
$memberquery->bindParam(':firstname', $data['firstname'], PDO::PARAM_STR);
$memberquery->bindParam(':lastname', $data['lastname'], PDO::PARAM_STR);
$memberquery->bindParam(':email', $data['email'], PDO::PARAM_STR);
$memberquery->bindParam(':gender', $data['gender'], PDO::PARAM_STR);
$memberquery->execute();
Looks like something is wrong with bindparam.
Try it like this:
$membersql = "INSERT INTO member (firstname,lastname,email,gender) VALUES (?, ?, ?, ?)";
$memberquery->execute(array($data['firstname'], $data['lastname'], $data['email'], $data['gender']));
This should work correctly.
I dont no what the problem is with my code. It doesn't insert the data into the database. Here it is.
$adduser = $con->prepare("INSERT INTO 'basicuserinfo'(email, password, firstname, lastname) VALUES(:email, :password, :firstname, :lastname)");
$adduser->bindValue(':email', $email);
$adduser->bindValue(':password', $password);
$adduser->bindValue(':firstname', $firstname);
$adduser->bindValue(':lastname', $lastname);
$adduser->execute();
INSERT INTO 'basicuserinfo'(email, password, firstname, lastname) VALUES(:email, :password, :firstname, :lastname)
That isn't a valid SQL statement. Get rid of the 's.
Are you sure it is succeeding? You aren't checking the execute as in:
if(!$adduser->execute()) echo "Execute failed";
You will likely find that it is throwing an error on the ' around the table name.
Try this..
$adduser = $con->prepare("INSERT INTO `basicuserinfo`(email, password, firstname, lastname)
VALUES(?, ? , ? , ? )");
$adduser->bindParam('ssss', $email,$password , $firstname,$lastname);
$adduser->execute();
In this way of prepare statement you can reduce your executing time..
then dont put apostapy before the tablename