Jump to content

What is wrong with this line?


Karaethon

Recommended Posts

I am getting an error with this line... 

}elseif(!($_POST['pass']=mysqli_query($dbconn,"SELECT password FROM players WHERE username = $_POST['uname']"))){ 

php log: 
[31-Dec-2018 20:15:07 America/Detroit] PHP Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting '-' or identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in /storage/emulated/0/Icode-Go/data_files/www/safecrackerwebservice.php on line 8

Link to comment
Share on other sites

in order to put an array variable inside a string, it needs to be enclosed by {}

however, there are a few things wrong with what that line of code is trying to do -

1) the mysqli_query() statement doesn't return data, it returns a result object, so, a variable holding the submitted password will never be equal to the value returned in that line. you would need to fetch the data first.

2) you should NOT store plain-text passwords. you need to use php's password_hash() and password_verify(). you would need to fetch the stored password hash and use password_verify() to test if the submitted password matches the hash.

3) you should NOT put external/unknown data directly into an sql query statement (and for those cases where it is safe to do so, string data must be enclosed by single-quotes.) you instead need to use a prepared query, with a ? place-holder in the sql query statement for each data value, then supply the data when the query gets executed. unfortunately, the php mysqli extension is overly complicated and inconsistent when dealing with prepared queries and you need to switch to the much simpler php PDO extension. doing this will actually simplify the sql query statement since the place-holder being put into the sql query statement eliminates the php variable, any {} around the variable, any single-quotes around the variable, and any concatenation dots.

Link to comment
Share on other sites

Crap! So I got it almost all wrong? Ugh. I'm so much better in basic based languages...

Ok, so I wasn't planning on storing the password in plaintext, the client side code encrypts it prior to submission. 

How can I code this then so that it would work? This is supposed to be just a simple check to determine if the client is authorized prior to processing the rest of the POST data...

Link to comment
Share on other sites

44 minutes ago, Karaethon said:

Would this work properly?

$query="SELECT password FROM players WHERE username = ".$_POST['uname'];
$row=mysqli_query($db_conn,$query);

 

NEVER EVER put variables in your query. Your code is vulnerable to an SQL Injection Attack. Use Prepared Statements.

Link to comment
Share on other sites

Ok... So like this?

$stmt $pdo->prepare('SELECT * FROM players WHERE username = :user AND password=:pword');
$stmt->execute(['user' => $_POST['uname']'pword' => $_POST['pass']]);
$user $stmt->fetch();

if I have that right, what will be in $user at the end of all that?

Link to comment
Share on other sites

You can always run it and see.

It's pretty simple. Look at your query. You are selecting EVERYTHING in the row.

You should specify the columns you want instead of SELECT *.

Naming it $user would be a bad name since it has more than just the user in the result. How about naming it $result?

 

Link to comment
Share on other sites

Ok, just as a test I did this....

<?php
$host = 'localhost';
$db   = 'safecracker';
$user = 'root';
$pass = '';
$charset = 'utf8mb4';

$dsn = "mysql:host=$host;dbname=$db;charset=$charset";
$options = [
    PDO::ATTR_ERRMODE            => PDO::ERRMODE_EXCEPTION,
    PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
    PDO::ATTR_EMULATE_PREPARES   => false,
];
try {
     $pdo = new PDO($dsn, $user, $pass, $options);
} catch (\PDOException $e) {
     throw new \PDOException($e->getMessage(), (int)$e->getCode());
}
$stmt = $pdo->prepare('SELECT * FROM players WHERE email = :email AND username=:uname');
$stmt->execute(['email' => "Test",'uname' => "Test"]);
$user = $stmt->fetch();
echo $user;
?>

And got the attached result.

So.... What am I doing wrong? Or is this what I'm supposed to get?

Screenshot_20190101-005541_Opera.jpg

Link to comment
Share on other sites

9 hours ago, benanamen said:

The result is an array. You cant echo an array. Do this....


echo '<pre>', print_r($user, true), '</pre>'; 

 

Yay! It works I get an array. It's full of gibberish for now, but I'm moving forward.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.