Jump to content

Recommended Posts

Is this a new problem?

I'm not sure what you are trying to debug here.  You didn't use password_hash() to make the encrypted password so you don't need to use password_verify() to check it.

You stated that you used md5() to encrypt the passwords.  

I'm not going to go into why md5 (especially without a salt) is not recommended, because that decision was made by someone in the past, and it is what it is.

Your query is already checking for a name AND password match.    Perhaps that was what you had previously (or something similar).  I'm not sure why you thought that needed to be changed for php7.  Even if there are things that weren't recommended security practices, you can't "upgrade" a security scheme by changing a few functions.  

In your case, all you need do is something like:

function LogMeX2($name, $pwd1)
{
	$sql = "SELECT User, UserKey FROM LIBusersX WHERE UserKey = '" . md5($pwd1) . "' AND UserN = '" . md5($name) . "'";

	$pdo = connectDB();
	$stmt = $pdo->prepare($sql);
	$stmt->execute();

	if(!$row = $stmt->fetch())
	{
		return false;
	}

	// username and password matched, return user id
	return $row['User'];
}

 

In regards to prior code, while you should in general never interpolate variables directly into a sql statement and use prepared statements, in this case it doesn't matter because you are running md5 on both parameters, and it doesn't matter if someone tries to sql inject data, as the md5 function will convert the input and output an md5 string.  This is one of very few cases where it doesn't matter what the input is.

I'm not sure other than for testing why you are selecting the userkey.  It's fine to have it in the criteria, but you wouldn't want or need that value to be returned in the result set.

3 hours ago, Paul-D said:

The major problems with PDO there are no books on the subject just web pages with fragments of code. Back in the days of mySql there were and still are books you can buy.

There are plenty of good online help on PDO - https://phpdelusions.net/pdo

3 hours ago, Paul-D said:

What is needed is function prototypes complete with explanations.

that would be exactly the information found in the php documentation -  https://www.php.net/manual/en/book.pdo.php

specifically for Prepare() and Execute() - https://www.php.net/manual/en/pdo.prepare.php and https://www.php.net/manual/en/pdostatement.execute.php

On 3/7/2023 at 12:33 AM, Paul-D said:

The major problems with PDO there are no books on the subject just web pages with fragments of code. Back in the days of mySql there were and still are books you can buy.

Paul-D my friend, this is the way of the world.  Many books are now published online, sometimes under a creative commons license.  In today's world you have ereaders and kindle etc.  I used to buy scores of technical books -- have an entire library of em, but they are mostly obsolete now. 

I'm sure you would agree that many books have a few really important chapters and then a lot of stuff that's not important.  The phpdelusions site pretty much covers everything you need.

The other thing about PDO is that it's akin to ODBC, and that makes it different than a server specific api.  Unlike ODBC, it in general is very usable and performant regardless of the RDBMS you are using it with.

I personally use Doctrine DBAL for projects, if I just need raw sql.  It provides a nice wrapper around PDO. 

Since you haven't coded anything in a long time, and are having to try and upgrade code that was written in an antiquated and un-modular fashion, it's understandable that you are frustrated, but if you plan to stay in PHP for a while, there are many things that have improved in the PHP world in the last 10 years that have nothing to do with PDO.  Learning about and adopting some of these things which include use of git, wide adoption of dependency injection, community standards, namespaces, component libraries, and use of the composer project dependency management tool, have raised the bar.  PDO is such a small and minimal set of functions/methods and practices, it's honestly not hard to learn what you need in short order, but doesn't scratch the surface of the more important improvements that have come along with the changes to the PHP language and runtimes.

  • 2 weeks later...

My server is still PHP4.5 as such I am using md5(). I know this should be changed. Md5() is still supported in PHP7 so I can address the issue then. I need to do 2 things return a set of records from a table preferably using prepare and execute. I need to return a record from an admin table to check at log in. I need the entire row including access levels and last time logged in. I am interested in this bindParam(1, $Name); as I think this could be useful. What I have using prepare and execute needs help with. So any corrections to this would be very helpful.

<?
$pdo = connectDB();
$Name = "Bruce";
$sql= ("SELECT * FROM PDO WHERE Name_F = ?"); // $Name goes here
$stmt = $pdo->prepare($sql);
// $stmt->bindParam(1, $Name);
$stmt->execute($Name);

while ($row = $stmt->fetch())
{
	echo $row['Name_F'] . " - " .  $row['Name_S'] . " - " .  $row['DOB'] . "<br>";	
}
echo "Music count = " . $stmt->rowCount();
?>

 

This is exactly the same code and problm that you posted on Saturday morning and which was answered by @ginerjm telling precisely wht was wrong nd giving you the correct code...

Stop repeating questions and ignoring replies.

  • Thanks 1
  • Barand locked this topic
Guest
This topic is now closed to further replies.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.