Jump to content

[SOLVED] WHERE clause with two values using AND...

fry2010

By fry2010
in MySQL Help

 Share

Recommended Posts

fry2010 Regular Member

fry2010

Posted
Posted

Hi I dont know if this is my code (probably) but I cant see why this doesnt work.

 

I am trying to SELECT COUNT(*) rows using a WHERE clause that uses two values to check.

The problem is with the second parameter it could be anything aslong as the first parameter given was correct.

Here is the code:

 function login($user, $password)
  { 
      $passwd = 'ihwjdw2';
      $conn = db_connect();
      $conn->setAttribute(PDO::ATTR_ERRMODE,PDO::ERRMODE_EXCEPTION);

      $sql = 'SELECT salt FROM useraccount WHERE username=:user';

      $stmt = $conn->prepare($sql);
      $stmt->bindParam(':user', $user);
      $stmt->execute();
      $row = $stmt->fetchObject();

      $salt = $row->salt;

      $result = generate_hash($password, $salt);
      $password = $result['1'];

      $sql2 = 'SELECT COUNT(*) FROM useraccount WHERE username=:user AND password =:password';

      $stmt2 = $conn->prepare($sql2);
      $stmt2->bindParam(':user', $user);
      $stmt2->bindParam(':password', $passwd);
      $result = $stmt2->execute();

      if($stmt2->fetchColumn() > 0)
      {
        return true;
      }

      if(!$salt || !$result)
      {
        throw new Exception('Could not Login.');
      }

 

Notice the $password parameter given to the function, and notice the $passwd random letters I just shoved in to test it. Guess what it still returns the selected value even though the password is incorrect! For a start the password stored in the database is encrypted that is the whole point of the generate_hash() part, but I accidently used $passwd instead of $password in the select statement and didnt realise till now and the whole time I have been able to log in.

So am I right in that you can use a WHERE clause with 2 values? It is acting more like an OR statement..

fry2010 Regular Member

fry2010

Posted
  • Author
Posted

check this line and parameter given:

 

      $passwd = 'ihwjdw2';
      $sql2 = 'SELECT COUNT(*) FROM useraccount WHERE username=:user AND password =:password';

// further down notice this:
$stmt2->bindParam(':password', $passwd);

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.