I am writing a simple user/login system in Php with postgresql.
I have a function that confirms whether username/passwords exists, which gets activated when a user presses the Login button.
public function confirmUserPass($username, $password){
$username=pg_escape_string($username);
/* Verify that user is in database */
$q = "SELECT password FROM users WHERE email = '$username'";
$result = pg_query($this->link,$q);
/* Do more operations */
}
I want to print the query stored in $results such that I can see it on the browser. When I do it in phppgAdmin using SQL it shows me the output but I cannot see it on the browser. I tried echo and printf but I could not see anything on the browser. I also tried to see view source from the browser but it shows nothing.
Can somebody help me with that?
Regards
From your code: $result = pg_query($this->link,$q);
As you've found already, trying to display the contents of $result from the line above will not give you anything useful. This is because it doesn't contain the data returned by the query; it simply contains a "resource handle".
In order to get the actual data, you have to call a second function after pg_query(). The function you need is pg_fetch_array().
pg_fetch_array() takes the resource handle that you're given in $result, and asks it for its the next set of data.
A SQL query can return multiple results, and so it is typical to put pg_fetch_array() into a loop and keep calling it until it returns false instead of a data array. However, in a case like yours where you are certain that it will return only one result, it is okay to simply call it once immediately after pg_query() without using a loop.
Your code could look like this:
$result = pg_query($this->link,$q);
$data = pg_fetch_array($result, NULL, PGSQL_ASSOC);
Once you have $data, then you've got the actual data from the DB.
In order to view the individual fields in $data, you need to look at its array elements. It should have an array element named for each field in the query. In your case, your query only contains one field, so it would be called $data['password']. If you have more fields in the query, you can access them in a similar way.
So your next line of code might be something like this:
echo "Password from DB was: ".$data['password'];
If you want to see the raw data, you can display it to the browser using the print_r() or var_dump() functions. These functions are really useful for testing and debugging. (hint: Wrap these calls in <pre> tags in order for them to show up nicely in the browser)
Hope that helps.
[EDIT: an after-thought]
By the way, slightly off-topic, but I would like to point out that your code indicates that your system may not be completely secure (even though you are correctly escaping the query arguments).
A truly secure system would never fetch the password from the database. Once a password has been stored, it should only be used in the WHERE clause when logging in, not fetched in the query.
A typical query would look like this:
SELECT count(*) n FROM users WHERE email = '$username' AND password = '$hashedpass'
In this case, the password would be stored in the DB as a hashed value rather than plain text, and the WHERE clause would compare that against a hashed version of the password that has been entered by the user.
The idea is that this allows us to avoid having passwords accessible as plain text anywhere in the system, which reduces the risk of hacking, even if someone does manage to get access to the database.
It's not foolproof of course, and it's certainly not the whole story when it comes to this kind of security, but it would definitely be better than the way you seem to have it now.
You must connect to database , execute query, and then fetch results.
try this example from php.net
<?php
public function confirmUserPass($username, $password){
$username=pg_escape_string($username);
// Connecting, selecting database
$dbconn = pg_connect("host=localhost dbname=publishing user=www password=foo")
or die('Could not connect: ' . pg_last_error());
// Performing SQL query
$query = "SELECT password FROM users WHERE email = '$username'";
$result = pg_query($query) or die('Query failed: ' . pg_last_error());
// Printing results in HTML
echo "<table>\n";
while ($line = pg_fetch_array($result, null, PGSQL_ASSOC)) {
echo "\t<tr>\n";
foreach ($line as $col_value) {
echo "\t\t<td>$col_value</td>\n";
}
echo "\t</tr>\n";
}
echo "</table>\n";
// Free resultset
pg_free_result($result);
// Closing connection
pg_close($dbconn);
?>
}
?>
http://php.net/manual/en/book.pgsql.php
Related
a have an sqlite table
CREATE TABLE "lib" (
"id" INTEGER UNIQUE,
"addr" TEXT UNIQUE,
"data" TEXT,
PRIMARY KEY("id")
)
testing dataset contains:
...
1 arara arararar test
2 unit=comp comp test
...
I use code next to test requests
<? $db = new PDO('sqlite:main.db') or die('Unable to open database');
echo ("qry: ".$_SERVER["QUERY_STRING"]."<br>");
foreach ($db->query("SELECT * FROM lib WHERE addr='".$_SERVER["QUERY_STRING"]."'", PDO::FETCH_ASSOC/*_NUM*/) as $row) {
//echo($row[0].'<br>');
echo($row['addr'].'<br>');
echo($row['data'].'<br>');
}
$db = null; ?>
so, when I do script.php?arara it returns
qry: arara
arara
arararar test
but, when I do script.php?unit=comp it returns no data (just QUERY_STRING)
qry: unit=comp
what wrong with my code?
upd:
this question is not about security
php modified for PDO prepare, now its return no data with any request
<? $db = new PDO('sqlite:main.db') or die('Unable to open database');
echo ("qry: ".$_SERVER["QUERY_STRING"]."<br>");
$qry=$db->prepare("SELECT * FROM lib WHERE addr='?'");
$qry->execute(array($_SERVER["QUERY_STRING"]));
foreach ($qry as $row) {
//foreach ($db->query("SELECT * FROM lib WHERE addr='".$_SERVER["QUERY_STRING"]."'", PDO::FETCH_ASSOC/*_NUM*/) as $row) {
//echo($row[0].'<br>');
echo($row['addr'].'<br>');
echo($row['data'].'<br>');
}
$db = null; ?>
what wrong with my code?
... sadly quite a lot.
I've never seen someone inject the QUERY_STRING straight into a query. How easily corruptable would this string be? If I wanted to inject some malicious sql I just have to write it in. If I make a mistake then the query won't return anything. If I add a new parameter in the future because I want more than a single param then the query fails.
The malicious sql is the most dangerous problem here, the other's are about code maintainability and still very important. Check out this
https://bobby-tables.com/
and this
https://www.w3schools.com/php/php_mysql_prepared_statements.asp
You need to parse the query string so you can check and sanitise the data. Php has an in-built function for this:
https://www.php.net/manual/en/function.parse-str.php
You then should be binding the data in the prepared statement you have now read about.
I don't know if you're in charge of the script calling this, but it seems like POST data would be better for this. GET parameters are visible and stored in web server logs, so you have a security vulnerability with potential personal data. You also then won't need to worry about url_encoding/decoding the string.
//EDIT
to be fair, using PHP's parse_str with decode the url anyway, so that at least will take care of that issue if you can't convert it to post
I have around 75 php existing scripts that access mysql database similar to this pseudo code:
$query="SELECT * from table";
$result=mysqli_query($conn,$query);
if (mysqli_num_rows($result)) {
while($row=mysqli_fetch_assoc($result)) {
//use the rows
}
}
I was recently forced to encrypt all the database fields individually, so now when those 75 php scripts run as shown above, all the $row come back with all the fields encrypted, thus unusable.
So rather than change all the 75 php scripts to decode each field, i wanted to create a function that executes the mysqli_query, and then decrypts all the fields, and returns the result as if it was returned by the mysqli_query, but decrypted. Something like
function QueryAndDecrypt($conn,$query){
$result=mysqli_query($conn,$query);
if (mysqli_num_rows($result)) {
while($row=mysqli_fetch_assoc($result)) {
$row=decrypt($row);
}
}
return $result; <<----- return result with fields decrypted
}
// now all 75 scripts would have to change just one line to call above
$query="SELECT * from table";
$result=QueryAndDecrypt($conn,$query); <<--- change only 1 line
if (mysqli_num_rows($result)) {
while($row=mysqli_fetch_assoc($result)) {
//use the rows as normal decrypted
}
}
As you can see I just want to change that one line in all the 75 scripts so that it will do the same thing as before, and the result will come back with all the fields already decrypted.
I tried writing this QueryAndDecrypt function, but when i change the result from mysqli_result $row as shown above it wont change because the result from mysql is some sort of set that is not changeable (I was told), or something like that.
So is there anyway to do this by writing a common function that can be called from all the scripts which does the sql query and also decrypts the result in such a way that it can be accessed by all the other scripts like a regular mysql query result?
Can anybody help, im "fresh off the boat", so i dont know sql that well or php, i'm so desperate right now because all the scripts are broken because of this!!
Thanks
Sorry, you can't modify the rows of the result and then somehow 'unfetch' them back into the result to be fetched again.
But you can fix your code by changing one line:
$query = "SELECT * from table";
$result = mysqli_query($conn,$query);
if (mysqli_num_rows($result)) {
while ($row = MyFetchAssocAndDecrypt($result)) { <<--- change only 1 line
//use the rows as normal decrypted
}
}
You'd have to write functions something like this:
function MyDecrypt(&$item, $key) {
$item = openssl_decrypt($item, OPENSSL_CIPHER_AES_256_CBC, MY_SECRET_KEY);
}
function MyFetchAssocAndDecrypt($conn, $result){
$row = mysqli_fetch_assoc($conn, $result);
array_walk($row, 'MyDecrypt');
return $row; <<----- return row with fields decrypted
}
PS: You mentioned the requirement that you aren't supposed to send unencrypted data over the network to the database. That wouldn't be my concern, because you can use a VPN or else connect to the database via SSL.
The greater concern is that the query that contains your plaintext data and the plaintext encryption password would be written to database logs on the MySQL server, and these logs are not encrypted.
There are some optional extensions to MySQL that promise to do full-database encryption, but these extensions overlook the query logs.
I have a database running and I'm currently printing out in a website, in a "php block" the usernames of the database. I achieved it with this
if ($db_handle) {
print "Database ISSSSS Found ";
$SQL = "SELECT * FROM `database.com`.`users`";
$result = mysql_query($SQL);
//print $result;
while ( $db_field = mysql_fetch_assoc($result) ) {
print $db_field['username'] . "<BR>";
}
mysql_close($db_handle);
}
However this gives me a giant string of all the users (I currently have 4). How do I make it so its just the individual user accessing their profile through the website
Typically, when someone logs in, you would store non sensitive information about the user in the session. This way, you can get to it quickly without needing to make database calls on every page. For instance, if you wanted to show their username in the pages header, you would always have their username handy to do so. Then, when they go to view their profile, you can use that username you stored as part of your SQL WHERE clause to pull in information pertaining only to that specific user.
Use WHERE username = 'yourusername' in your SQL query.
That shall fix your problem
I'm experiencing a strange problem. I'm caching the output of a query using memcache functions in a file named count.php. This file is called by an ajax every second when a user is viewing a particular page. The output is cached for 5 seconds, so within this time if there will be 5 hits to this file i expect the cached result to be returned 3-4 times atleast. However this is not happening, instead everytime a query is going to db as evidenced from a echo statement, but if the file is called from the browser directly by typing the url (like http://example.com/help/count.php) repeatedly many times within 5 seconds data is returned from cache (again evidenced from the echo statement). Below is the relevant code of count.php
mysql_connect(c_dbhost, c_dbuname, c_dbpsw) or die(mysql_error());
mysql_select_db(c_dbname) or die("Coud Not Find Database");
$product_id=$_POST['product_id'];
echo func_total_bids_count($product_id);
function func_total_bids_count($product_id)
{
$qry="select count(*) as bid_count from tbl_userbid where userbid_auction_id=".$product_id;
$row_count=func_row_count_only($qry);
return $row_count["bid_count"];
}
function func_row_count_only($qry)
{
if($_SERVER["HTTP_HOST"]!="localhost")
{
$o_cache = new Memcache;
$o_cache->connect('localhost', 11211) or die ("Could not connect to memcache");
//$key="total_bids" . md5($product_id);
$key = "KEY" . md5($qry);
$result = $o_cache->get($key);
if (!$result)
{
$qry_result = mysql_query($qry);
while($row=mysql_fetch_array($qry_result))
{
$row_count = $row;
$result = $row;
$o_cache->set($key, $result, 0, 5);
}
echo "From DB <br/>";
}
else
{
echo "From Cache <br/>";
}
$o_cache->close();
return $row_count;
}
}
I'm confused as to why when an ajax calls this file, DB is hit every second, but when the URL is typed in the browser cached data is returned. To try the URL method i just replaced $product_id with a valid number (Eg: $product_id=426 in my case). I'm not understanding whats wrong here as i expect data to be returned from cache within 5 seconds after the 1st hit. I want the data to be returned from cache. Can some one please help me understand whats happening ?
If you're using the address bar, you're doing a GET, but your code is looking for $_POST['...'], so you will end up with an invalid query. So for a start, the results using the address bar won't be what you're expecting. Is your Ajax call actually doing a POST?
Please also note that you've got a SQL injection vulnerability there. Make sure $product_id is an integer.
There are many problems with your code, first of all you always connect to the database and select a table, even if you don't need it. Second, you should check $result with !empty($result) which is more reliable as just !$result, because it's also covers empty objects.
As above noted, if the 'product_id' is not in the $_POST array, you could use $_REQUEST to also cover $_GET (but you shouldn't, if you are certain it's coming via $_POST).
So I have a chatroom type of database where the text that a user inserts gets stored into a databse as their username in one field and their message in the other. I want to have my page output the database info, so that people can see each others messages.
How do I do this?
Also, is it possible to make a for loop that checks to see if the database has been updated with a new message, therefore it reloads the page? (Then the page outputs the database info again to update everyones messages)
Please help.. i'm so confused.
Take a look at MySQL functions in PHP manual. You need to connect to the server/database and run a select query to get the data from tables.
As for the loop: you could use JavaScript setInterval function and combine that with AJAX call to periodically poll for new records.
Like the others have said, you will want to connect to your database and then query the table that you have the data in.
while($row = mysql_fetch_assoc($results))
{
echo $row['username'] . " said: " . $row['message'] . "<br />";
}
I use mysql_fetch_assoc() instead of mysql_fetch_array() since the arrays are associative arrays (not indexed by integers, but rather by names (associations))
As for displaying the update on the page dynamically, that involves AJAX. Basically what that means is that your page will call out to a background script to get the new records from the database. This would require a new field in your 'messages' table, something like 'msg_delivered' that you could set to '1' when it has been fetched.
You should check out this if you are interested in making an AJAX chat client: http://htmltimes.com/javascript-chat-client-in-jquery.php
To read anything from a mysql database you would use the mysql_connect() and the mysql_query() functions
eg:
$link = mysql_connect('localhost', 'root', '');
$results = mysql_query('select * from messages');
while($row = mysql_fetch_array($results))
{
echo $row['username'] . ': ' . $row['message'].'<br />';
}
To display new messages the best way would be to use AJAX and poll the database from there, either loading a separate page into a DIV or getting XML back and placing into HTML tags. I would recommend using JQuery for these kinds of tasks. Check http://www.sitepoint.com/article/ajax-jquery/ for an example.