Karaethon Posted January 1, 2019 Share Posted January 1, 2019 I am getting an error with this line... }elseif(!($_POST['pass']=mysqli_query($dbconn,"SELECT password FROM players WHERE username = $_POST['uname']"))){ php log: [31-Dec-2018 20:15:07 America/Detroit] PHP Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting '-' or identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in /storage/emulated/0/Icode-Go/data_files/www/safecrackerwebservice.php on line 8 Link to comment Share on other sites More sharing options...
mac_gyver Posted January 1, 2019 Share Posted January 1, 2019 in order to put an array variable inside a string, it needs to be enclosed by {} however, there are a few things wrong with what that line of code is trying to do - 1) the mysqli_query() statement doesn't return data, it returns a result object, so, a variable holding the submitted password will never be equal to the value returned in that line. you would need to fetch the data first. 2) you should NOT store plain-text passwords. you need to use php's password_hash() and password_verify(). you would need to fetch the stored password hash and use password_verify() to test if the submitted password matches the hash. 3) you should NOT put external/unknown data directly into an sql query statement (and for those cases where it is safe to do so, string data must be enclosed by single-quotes.) you instead need to use a prepared query, with a ? place-holder in the sql query statement for each data value, then supply the data when the query gets executed. unfortunately, the php mysqli extension is overly complicated and inconsistent when dealing with prepared queries and you need to switch to the much simpler php PDO extension. doing this will actually simplify the sql query statement since the place-holder being put into the sql query statement eliminates the php variable, any {} around the variable, any single-quotes around the variable, and any concatenation dots. Link to comment Share on other sites More sharing options...
mac_gyver Posted January 1, 2019 Share Posted January 1, 2019 1.b) additionally, one = is an assignment operator. two == is a comparison operator. Link to comment Share on other sites More sharing options...
Karaethon Posted January 1, 2019 Author Share Posted January 1, 2019 Crap! So I got it almost all wrong? Ugh. I'm so much better in basic based languages... Ok, so I wasn't planning on storing the password in plaintext, the client side code encrypts it prior to submission. How can I code this then so that it would work? This is supposed to be just a simple check to determine if the client is authorized prior to processing the rest of the POST data... Link to comment Share on other sites More sharing options...
Karaethon Posted January 1, 2019 Author Share Posted January 1, 2019 Would this work properly? $query="SELECT password FROM players WHERE username = ".$_POST['uname']; $row=mysqli_query($db_conn,$query); Link to comment Share on other sites More sharing options...
benanamen Posted January 1, 2019 Share Posted January 1, 2019 44 minutes ago, Karaethon said: Would this work properly? $query="SELECT password FROM players WHERE username = ".$_POST['uname']; $row=mysqli_query($db_conn,$query); NEVER EVER put variables in your query. Your code is vulnerable to an SQL Injection Attack. Use Prepared Statements. Link to comment Share on other sites More sharing options...
Karaethon Posted January 1, 2019 Author Share Posted January 1, 2019 23 minutes ago, benanamen said: NEVER EVER put variables in your query. Your code is vulnerable to an SQL Injection Attack. Use Prepared Statements. Ok, how do I do that? Link to comment Share on other sites More sharing options...
benanamen Posted January 1, 2019 Share Posted January 1, 2019 Allow me to direct you to using PDO. Here is a tutorial to get you going. https://phpdelusions.net/pdo Link to comment Share on other sites More sharing options...
Karaethon Posted January 1, 2019 Author Share Posted January 1, 2019 Ok... So like this? $stmt = $pdo->prepare('SELECT * FROM players WHERE username = :user AND password=:pword'); $stmt->execute(['user' => $_POST['uname'], 'pword' => $_POST['pass']]); $user = $stmt->fetch(); if I have that right, what will be in $user at the end of all that? Link to comment Share on other sites More sharing options...
benanamen Posted January 1, 2019 Share Posted January 1, 2019 You can always run it and see. It's pretty simple. Look at your query. You are selecting EVERYTHING in the row. You should specify the columns you want instead of SELECT *. Naming it $user would be a bad name since it has more than just the user in the result. How about naming it $result? Link to comment Share on other sites More sharing options...
Karaethon Posted January 1, 2019 Author Share Posted January 1, 2019 Ok, just as a test I did this.... <?php $host = 'localhost'; $db = 'safecracker'; $user = 'root'; $pass = ''; $charset = 'utf8mb4'; $dsn = "mysql:host=$host;dbname=$db;charset=$charset"; $options = [ PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, PDO::ATTR_EMULATE_PREPARES => false, ]; try { $pdo = new PDO($dsn, $user, $pass, $options); } catch (\PDOException $e) { throw new \PDOException($e->getMessage(), (int)$e->getCode()); } $stmt = $pdo->prepare('SELECT * FROM players WHERE email = :email AND username=:uname'); $stmt->execute(['email' => "Test",'uname' => "Test"]); $user = $stmt->fetch(); echo $user; ?> And got the attached result. So.... What am I doing wrong? Or is this what I'm supposed to get? Link to comment Share on other sites More sharing options...
benanamen Posted January 1, 2019 Share Posted January 1, 2019 The result is an array. You cant echo an array. Do this.... echo '<pre>', print_r($user, true), '</pre>'; Link to comment Share on other sites More sharing options...
Karaethon Posted January 1, 2019 Author Share Posted January 1, 2019 9 hours ago, benanamen said: The result is an array. You cant echo an array. Do this.... echo '<pre>', print_r($user, true), '</pre>'; Yay! It works I get an array. It's full of gibberish for now, but I'm moving forward. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.