Karaethon Posted January 1, 2019 Share Posted January 1, 2019 I am getting an error with this line... }elseif(!($_POST['pass']=mysqli_query($dbconn,"SELECT password FROM players WHERE username = $_POST['uname']"))){ php log: [31-Dec-2018 20:15:07 America/Detroit] PHP Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting '-' or identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in /storage/emulated/0/Icode-Go/data_files/www/safecrackerwebservice.php on line 8 Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted January 1, 2019 Share Posted January 1, 2019 (edited) in order to put an array variable inside a string, it needs to be enclosed by {} however, there are a few things wrong with what that line of code is trying to do - 1) the mysqli_query() statement doesn't return data, it returns a result object, so, a variable holding the submitted password will never be equal to the value returned in that line. you would need to fetch the data first. 2) you should NOT store plain-text passwords. you need to use php's password_hash() and password_verify(). you would need to fetch the stored password hash and use password_verify() to test if the submitted password matches the hash. 3) you should NOT put external/unknown data directly into an sql query statement (and for those cases where it is safe to do so, string data must be enclosed by single-quotes.) you instead need to use a prepared query, with a ? place-holder in the sql query statement for each data value, then supply the data when the query gets executed. unfortunately, the php mysqli extension is overly complicated and inconsistent when dealing with prepared queries and you need to switch to the much simpler php PDO extension. doing this will actually simplify the sql query statement since the place-holder being put into the sql query statement eliminates the php variable, any {} around the variable, any single-quotes around the variable, and any concatenation dots. Edited January 1, 2019 by mac_gyver 1 Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted January 1, 2019 Share Posted January 1, 2019 1.b) additionally, one = is an assignment operator. two == is a comparison operator. Quote Link to comment Share on other sites More sharing options...
Karaethon Posted January 1, 2019 Author Share Posted January 1, 2019 Crap! So I got it almost all wrong? Ugh. I'm so much better in basic based languages... Ok, so I wasn't planning on storing the password in plaintext, the client side code encrypts it prior to submission. How can I code this then so that it would work? This is supposed to be just a simple check to determine if the client is authorized prior to processing the rest of the POST data... Quote Link to comment Share on other sites More sharing options...
Karaethon Posted January 1, 2019 Author Share Posted January 1, 2019 Would this work properly? $query="SELECT password FROM players WHERE username = ".$_POST['uname']; $row=mysqli_query($db_conn,$query); Quote Link to comment Share on other sites More sharing options...
benanamen Posted January 1, 2019 Share Posted January 1, 2019 44 minutes ago, Karaethon said: Would this work properly? $query="SELECT password FROM players WHERE username = ".$_POST['uname']; $row=mysqli_query($db_conn,$query); NEVER EVER put variables in your query. Your code is vulnerable to an SQL Injection Attack. Use Prepared Statements. Quote Link to comment Share on other sites More sharing options...
Karaethon Posted January 1, 2019 Author Share Posted January 1, 2019 23 minutes ago, benanamen said: NEVER EVER put variables in your query. Your code is vulnerable to an SQL Injection Attack. Use Prepared Statements. Ok, how do I do that? Quote Link to comment Share on other sites More sharing options...
benanamen Posted January 1, 2019 Share Posted January 1, 2019 Allow me to direct you to using PDO. Here is a tutorial to get you going. https://phpdelusions.net/pdo Quote Link to comment Share on other sites More sharing options...
Karaethon Posted January 1, 2019 Author Share Posted January 1, 2019 Ok... So like this? $stmt = $pdo->prepare('SELECT * FROM players WHERE username = :user AND password=:pword'); $stmt->execute(['user' => $_POST['uname'], 'pword' => $_POST['pass']]); $user = $stmt->fetch(); if I have that right, what will be in $user at the end of all that? Quote Link to comment Share on other sites More sharing options...
benanamen Posted January 1, 2019 Share Posted January 1, 2019 (edited) You can always run it and see. It's pretty simple. Look at your query. You are selecting EVERYTHING in the row. You should specify the columns you want instead of SELECT *. Naming it $user would be a bad name since it has more than just the user in the result. How about naming it $result? Edited January 1, 2019 by benanamen Quote Link to comment Share on other sites More sharing options...
Karaethon Posted January 1, 2019 Author Share Posted January 1, 2019 Ok, just as a test I did this.... <?php $host = 'localhost'; $db = 'safecracker'; $user = 'root'; $pass = ''; $charset = 'utf8mb4'; $dsn = "mysql:host=$host;dbname=$db;charset=$charset"; $options = [ PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, PDO::ATTR_EMULATE_PREPARES => false, ]; try { $pdo = new PDO($dsn, $user, $pass, $options); } catch (\PDOException $e) { throw new \PDOException($e->getMessage(), (int)$e->getCode()); } $stmt = $pdo->prepare('SELECT * FROM players WHERE email = :email AND username=:uname'); $stmt->execute(['email' => "Test",'uname' => "Test"]); $user = $stmt->fetch(); echo $user; ?> And got the attached result. So.... What am I doing wrong? Or is this what I'm supposed to get? Quote Link to comment Share on other sites More sharing options...
benanamen Posted January 1, 2019 Share Posted January 1, 2019 The result is an array. You cant echo an array. Do this.... echo '<pre>', print_r($user, true), '</pre>'; Quote Link to comment Share on other sites More sharing options...
Karaethon Posted January 1, 2019 Author Share Posted January 1, 2019 9 hours ago, benanamen said: The result is an array. You cant echo an array. Do this.... echo '<pre>', print_r($user, true), '</pre>'; Yay! It works I get an array. It's full of gibberish for now, but I'm moving forward. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.