PHP & Prepared statement help

[gtseviper]

It took me a while to get my login.php working correctly until I was told it needed a prepared statement to secure it

How would this login.php be converted to a Prepared statement?  Any help will be thankful

 

<?php

session_start();

$username = $_POST['username'];
$password = $_POST['password'];

if ($username&&$password)

{

$connect = mysql_connect("host","username","password") or die ("Couldnt connect to database");
mysql_select_db("database name") or die ("Couldn't find database");

$password = md5(md5($password));

$query = mysql_query("SELECT * FROM users WHERE username='$username' ");

$numrows = mysql_num_rows($query);

if($numrows !=0)

{

while ($rows = mysql_fetch_assoc($query))
{

	$dbusername = $rows ['username'];
	$dbpassword = $rows ['password'];

}

	if ($username==$dbusername&&$password==$dbpassword)


	{			
		$password = md5(md5("Rh4izr".$password."Q46s7E"));
		$_SESSION['username']=$dbusername;

				   
   						if($username == "ash") {
    					include("webpage");
					}
				else
					if($username == "Bobby") {
    					include("webpage");
				 	}						


	}
	else
		echo "Incorrect password. <br /><a href='webpage'>Click here to try again</a>";

}

else
	die ("That username doesnt exist. <br /><a href='webpage'>Please contact Innavationz for further assistance</a>");

}
else
die ("Please enter a username and password. <br /><a href='webpage'>Click here to try again</a>");

?>

 

[kicken]

You would have to convert the script to use MySQLi or PDO to be able to use prepared statements (which I'd recommend).  When using the classic mysql extension you just need to ensure you run your variables through mysql_real_escape_string before using them in a query:

 

$query = mysql_query("SELECT * FROM users WHERE username='".mysql_real_escape_string($username)."' ");

 

If it's available to you (check phpinfo()'s output) I'd recommend using PDO to access your database.  Google a few tutorials on it, it is pretty simple to use.

[Christian F.]

As a little aside: You can use real_escape_string () with MySQLi as well, not just the old (and deprecated mysql) library.

Also, since the mysql_* () library of functions are deprecated, you really should move on to either MySQLi or PDO anyway.

[gtseviper]

Thanks for all the responses.

 

Here is what I have done.  I had alot of help converting it

What this even convert correctly to do the same thing that the original is doing without a problem

 

The problem i am having is that my

if($username == "ash") {

include("ash.php")

 

comes up with the page background only and no image content.

 

<?php

session_start();

$form_username = $_POST['username'];
$form_password = $_POST['password'];

if ($form_username&&$form_password)

{
$form_password = md5(md5($password));

$conn = new mysqli('host','username','password', 'database') or die ('Couldnt connect to database');

		$stmt = $conn->prepare("SELECT username FROM users WHERE username=?"); 

		$stmt->bind_param('s', $username);

		$stmt->execute();

		if($stmt->fetch()) {

				if($numrows !=0)

					{

				while ($rows = mysql_fetch_assoc($query))
				{

					$dbusername = $rows ['username'];
					$dbpassword = $rows ['password'];

				}

							if ($form_username==$dbusername&&$form_password==$dbpassword)


							{			
								$form_password = md5(md5("Rh4izr".$password."Q46s7E"));
								$_SESSION['username']=$dbusername;

										   
											if($username == "ash") {
											include("ash.php");
											}
										else
											if($username == "Bobby") {
											include("Bobby.php");
											}						



							} else
							echo ("Incorrect password. <br /><a href='webpage'>Click here to try again</a>");

		} else
	die ("That username doesnt exist. <br /><a href='webpage'>Please contact Innavationz for further assistance</a>");
}


} else 
die ("Please enter a username and password. <br /><a href='webpage'>Click here to try again</a>");

$stmt->close();
$conn->close();
?>

[kicken]

				while ($rows = mysql_fetch_assoc($query))
				{

 

1) Please use [code][/code] tags when you post your code.

 

2) You can't mix mysql_* functions and the mysqli object.  Not only that, your referencing variables that do not exist.  It's as if your just missing a whole portion of the script.

 

You're also making things more complicated than they really need to be.  To check a login all you need to do is run a query such as:

SELECT UserId FROM users WHERE Username=? AND Password=?

 

If the username and password are correct, it will match and return a row.  If it is not correct, you will not get a row.

$form_password = md5(md5($password));

$conn = new mysqli('host','username','password', 'database') or die ('Couldnt connect to database');
$stmt = $conn->prepare("SELECT username FROM users WHERE username=? AND password=?"); 
$stmt->bind_param('ss', $form_username, $form_password);
$stmt->execute();

//This is how you get a result.  You bind a variable for each column you are returning
$stmt->bind_result($dbusername);
if ($stmt->fetch()){
   //Success!
   $_SESSION['username']=$dbusername;
   if($username == "ash") {
       include("ash.php");
   }
   else if($username == "Bobby") {
       include("Bobby.php");
   }
}
else {
   echo ("Incorrect username or password. <br /><a href='webpage'>Click here to try again</a>");
}

 

[Christian F.]

Never ever do this:

$form_password = md5(md5($password));

Read the thread on hashing for more information on why. Yes, I mean the entire thread.

 

Also, why this?

$form_password = md5(md5("Rh4izr".$password."Q46s7E"));

Not only is it sub-optimal to use a static hash for everyone, but why didn't you hash it in the first place? Also, you're not using it afterwards.

 

You need to go back and read up on security, as well as plan your code from scratch. Write a short list of keywords on what you'd like the code to do, step by step. After doing that you'll find that it's a lot easier to write proper and clean code, and not get lost in a spaghetti-soup like the one you have now.

[gtseviper]

Thanks again for all your expert help.  I will have to sit down and learn a little more about this prepared statement stuff.  It will take me sometime for this to soak in.

thanks again

[gtseviper]

Alright, I got it to function.  Thanks for all your help

[Christian F.]

Mind posting the finished product, so that we can look (and possibly pick) at it a bit more?

[gtseviper]

 

The page was working fine to get to ash.php or Bobby.php and now the web server is redirecting me to there default page. I tried it another server and it started doing the same thing

 

When the result_bind happens, am I suppose to use that in my if ($username) to locate the page or do you use the $form_username

 

<?php

session_start();

$form_username = $_POST['username'];
$form_password = $_POST['password'];

$conn = new mysqli('host','username','password', 'database'); 

$stmt = $conn->prepare("SELECT username FROM users WHERE username=? AND password=?"); 

$stmt->bind_param('ss', $form_username, $form_password);

$stmt->execute();

$stmt->bind_result($username);

if ($stmt->fetch())
{	

					if($username == "ash") {
    					include('ash.php');
					}
				else
					if($username == "Bobby") {
    					include('Bobby.php');
				 	}	

}
else {
   		echo ("Incorrect username or password. <br /><a href='index.php'>Click here to try again</a>");
   	}
$stmt->close();
$conn->cloase();
?>

[Christian F.]

Besides the misspelling of "close" in the last line, I don't see anything wrong with the code itself.

Try using var_dump () on the results from the various steps of fetching the data from the database. Might be the query itself that's off, the the POSTed data isn't correct, or some tomfoolery with the database values themselves.

 

PS: http://forums.phpfreaks.com/index.php?topic=364036