fry2010 Posted February 27, 2009 Share Posted February 27, 2009 Hi I dont know if this is my code (probably) but I cant see why this doesnt work. I am trying to SELECT COUNT(*) rows using a WHERE clause that uses two values to check. The problem is with the second parameter it could be anything aslong as the first parameter given was correct. Here is the code: function login($user, $password) { $passwd = 'ihwjdw2'; $conn = db_connect(); $conn->setAttribute(PDO::ATTR_ERRMODE,PDO::ERRMODE_EXCEPTION); $sql = 'SELECT salt FROM useraccount WHERE username=:user'; $stmt = $conn->prepare($sql); $stmt->bindParam(':user', $user); $stmt->execute(); $row = $stmt->fetchObject(); $salt = $row->salt; $result = generate_hash($password, $salt); $password = $result['1']; $sql2 = 'SELECT COUNT(*) FROM useraccount WHERE username=:user AND password =:password'; $stmt2 = $conn->prepare($sql2); $stmt2->bindParam(':user', $user); $stmt2->bindParam(':password', $passwd); $result = $stmt2->execute(); if($stmt2->fetchColumn() > 0) { return true; } if(!$salt || !$result) { throw new Exception('Could not Login.'); } Notice the $password parameter given to the function, and notice the $passwd random letters I just shoved in to test it. Guess what it still returns the selected value even though the password is incorrect! For a start the password stored in the database is encrypted that is the whole point of the generate_hash() part, but I accidently used $passwd instead of $password in the select statement and didnt realise till now and the whole time I have been able to log in. So am I right in that you can use a WHERE clause with 2 values? It is acting more like an OR statement.. Link to comment https://forums.phpfreaks.com/topic/147237-solved-where-clause-with-two-values-using-and/ Share on other sites More sharing options...
fry2010 Posted February 27, 2009 Author Share Posted February 27, 2009 check this line and parameter given: $passwd = 'ihwjdw2'; $sql2 = 'SELECT COUNT(*) FROM useraccount WHERE username=:user AND password =:password'; // further down notice this: $stmt2->bindParam(':password', $passwd); Link to comment https://forums.phpfreaks.com/topic/147237-solved-where-clause-with-two-values-using-and/#findComment-772941 Share on other sites More sharing options...
fry2010 Posted February 28, 2009 Author Share Posted February 28, 2009 yes it was my own error. Along the way with all my validating I basically caused it to bypass whether the login script returned true. dunno how that happened but its sorted, sorry for wasted post. Link to comment https://forums.phpfreaks.com/topic/147237-solved-where-clause-with-two-values-using-and/#findComment-772954 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.