Jump to content
Karaethon

What is wrong with this line?

Recommended Posts

I am getting an error with this line... 

}elseif(!($_POST['pass']=mysqli_query($dbconn,"SELECT password FROM players WHERE username = $_POST['uname']"))){ 

php log: 
[31-Dec-2018 20:15:07 America/Detroit] PHP Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting '-' or identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in /storage/emulated/0/Icode-Go/data_files/www/safecrackerwebservice.php on line 8

Share this post


Link to post
Share on other sites
Posted (edited)

in order to put an array variable inside a string, it needs to be enclosed by {}

however, there are a few things wrong with what that line of code is trying to do -

1) the mysqli_query() statement doesn't return data, it returns a result object, so, a variable holding the submitted password will never be equal to the value returned in that line. you would need to fetch the data first.

2) you should NOT store plain-text passwords. you need to use php's password_hash() and password_verify(). you would need to fetch the stored password hash and use password_verify() to test if the submitted password matches the hash.

3) you should NOT put external/unknown data directly into an sql query statement (and for those cases where it is safe to do so, string data must be enclosed by single-quotes.) you instead need to use a prepared query, with a ? place-holder in the sql query statement for each data value, then supply the data when the query gets executed. unfortunately, the php mysqli extension is overly complicated and inconsistent when dealing with prepared queries and you need to switch to the much simpler php PDO extension. doing this will actually simplify the sql query statement since the place-holder being put into the sql query statement eliminates the php variable, any {} around the variable, any single-quotes around the variable, and any concatenation dots.

Edited by mac_gyver
  • Like 1

Share this post


Link to post
Share on other sites

1.b) additionally, one = is an assignment operator. two == is a comparison operator.

Share this post


Link to post
Share on other sites

Crap! So I got it almost all wrong? Ugh. I'm so much better in basic based languages...

Ok, so I wasn't planning on storing the password in plaintext, the client side code encrypts it prior to submission. 

How can I code this then so that it would work? This is supposed to be just a simple check to determine if the client is authorized prior to processing the rest of the POST data...

Share this post


Link to post
Share on other sites

Would this work properly?

$query="SELECT password FROM players WHERE username = ".$_POST['uname'];
$row=mysqli_query($db_conn,$query);

Share this post


Link to post
Share on other sites
44 minutes ago, Karaethon said:

Would this work properly?

$query="SELECT password FROM players WHERE username = ".$_POST['uname'];
$row=mysqli_query($db_conn,$query);

 

NEVER EVER put variables in your query. Your code is vulnerable to an SQL Injection Attack. Use Prepared Statements.

Share this post


Link to post
Share on other sites
23 minutes ago, benanamen said:

 

NEVER EVER put variables in your query. Your code is vulnerable to an SQL Injection Attack. Use Prepared Statements.

Ok, how do I do that?

Share this post


Link to post
Share on other sites

Ok... So like this?

$stmt $pdo->prepare('SELECT * FROM players WHERE username = :user AND password=:pword');
$stmt->execute(['user' => $_POST['uname']'pword' => $_POST['pass']]);
$user $stmt->fetch();

if I have that right, what will be in $user at the end of all that?

Share this post


Link to post
Share on other sites
Posted (edited)

You can always run it and see.

It's pretty simple. Look at your query. You are selecting EVERYTHING in the row.

You should specify the columns you want instead of SELECT *.

Naming it $user would be a bad name since it has more than just the user in the result. How about naming it $result?

 

Edited by benanamen

Share this post


Link to post
Share on other sites

Ok, just as a test I did this....

<?php
$host = 'localhost';
$db   = 'safecracker';
$user = 'root';
$pass = '';
$charset = 'utf8mb4';

$dsn = "mysql:host=$host;dbname=$db;charset=$charset";
$options = [
    PDO::ATTR_ERRMODE            => PDO::ERRMODE_EXCEPTION,
    PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
    PDO::ATTR_EMULATE_PREPARES   => false,
];
try {
     $pdo = new PDO($dsn, $user, $pass, $options);
} catch (\PDOException $e) {
     throw new \PDOException($e->getMessage(), (int)$e->getCode());
}
$stmt = $pdo->prepare('SELECT * FROM players WHERE email = :email AND username=:uname');
$stmt->execute(['email' => "Test",'uname' => "Test"]);
$user = $stmt->fetch();
echo $user;
?>

And got the attached result.

So.... What am I doing wrong? Or is this what I'm supposed to get?

Screenshot_20190101-005541_Opera.jpg

Share this post


Link to post
Share on other sites

The result is an array. You cant echo an array. Do this....

echo '<pre>', print_r($user, true), '</pre>'; 

 

Share this post


Link to post
Share on other sites
9 hours ago, benanamen said:

The result is an array. You cant echo an array. Do this....


echo '<pre>', print_r($user, true), '</pre>'; 

 

Yay! It works I get an array. It's full of gibberish for now, but I'm moving forward.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.