php sign in problem with pdo

Question

Eagle.Avik 0 Junior Poster in Training

11 Years Ago

i am having problem with converting my sign in script with pdo
here is my script

if ($_SERVER['REQUEST_METHOD'] == 'POST' && $_POST['form_name'] == 'loginform')
{
   $success_page = $_COOKIE["redirect"];
   $error_page = 'signup_error.php';
   $indexlogcheck = 'home.php';
   $mysql_table = 'users';
   $crypt_pass = md5($_POST['password']);
   $found = false;
   $fullname = '';
   $session_timeout = time()+60*60*24*30;
   try
   {
   $pdo = new PDO('mysql:host=localhost;dbname=blog', 'Avik', '');
   }
   catch (PDOException $e)
   {
    $output = 'Unable to connect to the database server.';
    echo $output;
    exit();
    }   

  try
  {
   $sql = "SELECT password, fullname, active FROM ".$mysql_table." WHERE username = '".$_POST['username']."'";
   $statement = $pdo->prepare($sql);
   $statement->execute();
   $result = $statement->fetchAll(PDO::FETCH_ASSOC);
    if ($data = count($result) == 1)
    {
      if ($crypt_pass == $data['password'] && $data['active'] != 0)
      {
         $found = true;
         $fullname = $data['fullname'];
      }
   }
if($found == false)
   {
      header('Location: '.$error_page);
      exit;
   }
   else
   {
      if (session_id() == "")
      {
         session_start();
      }
      $_SESSION['username'] = $_POST['username'];
      $_SESSION['fullname'] = $fullname;
      $_SESSION['expires_by'] = time() + $session_timeout;
      $_SESSION['expires_timeout'] = $session_timeout;
      $rememberme = isset($_POST['rememberme']) ? true : false;
      if ($rememberme)
      {
         setcookie('username', $_POST['username'], time() + 3600*24*30);
      }
      header('Location: '.$success_page);
      exit;
    }
  }
  catch (PDOException $e)
   {
    $output = 'Unable to connect to the database server.';
    echo $output;
    exit();
    } 
}

$username = isset($_COOKIE['username']) ? $_COOKIE['username'] : '';

so where am i doing wrong!!! this script works if i changed it into below codes

try
  {
   $sql = "SELECT password, fullname, active FROM ".$mysql_table." WHERE username = '".$_POST['username']."' AND password = '".$crypt_pass."'";
   $statement = $pdo->prepare($sql);
   $statement->execute();
   $result = $statement->fetchAll(PDO::FETCH_ASSOC);
    if (count($result) == 1)
    {

      if (session_id() == "")
      {
         session_start();
      }

      $_SESSION['username'] = $_POST['username'];
      $_SESSION['fullname'] = $fullname;
      $_SESSION['expires_by'] = time() + $session_timeout;
      $_SESSION['expires_timeout'] = $session_timeout;
      $rememberme = isset($_POST['rememberme']) ? true : false;
      if ($rememberme)
      {
         setcookie('username', $_POST['username'], time() + 3600*24*30);

      }
      header('Location: '.$success_page);
      exit;
   }
    else
    {
    header('Location: '.$error_page);
    exit;
    }
 }

but i want to know whats wrong with the code above!!

php

4 Contributors
5 Replies
262 Views
1 Day Discussion Span
Latest Post 11 Years Ago Latest Post by Eagle.Avik

rereus 0 Newbie Poster

11 Years Ago

Hi,
line 28 $data=count($result)
But later you use this variable like an array $data['username'] ...
I think this is wrong.

tpunt 0 Newbie Poster

11 Years Ago

There's a few things going on within your code that needs to be addressed. But let's first cover why you're having the log in problem. You've assigned the variable $data to the returned result of the count() function. The result will be an integer, not an associative array as you have try to manipulate it as within your IF statement. You need to use the information contained within the $result variable instead.

The first correction to your code is that your use of a prepared statement is nugatory, since you aren't actually binding anything to your query. You've directly inserted the, potentially tainted, $_POST['username'] value into your SQL. In order to take advantage of the security provided by parametrised queries, you must use a placeholder and either explicity bind the variable to the query with the bindParam() method, or implcitly bind the variable by passing an array to the execute() method.

Another improvement would be to use a different crypotgraphic hashing algorithm, since MD5 isn't really considered "safe" anymore.

Edited 11 Years Ago by tpunt

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

winniekun 0 Newbie Poster · Answer 1 · 2013-10-28T02:12:27+00:00

winniekun 0 Newbie Poster

11 Years Ago

Glad to found that this useful blog.

Eagle.Avik 0 Junior Poster in Training · Answer 2 · 2013-10-28T23:54:53+00:00

@tpunt thnx for mentioning the holes in my code, i updated the bind method
here is my updated code

if ($_SERVER['REQUEST_METHOD'] == 'POST' && $_POST['form_name'] == 'loginform')
{
   $redirect_page = $_COOKIE["redirect"];
   $error_page = 'signup_error.php';
   $indexlogcheck = 'home.php';
   $mysql_table = 'users';
   $found = false;
   $fullname = 'avik';
   $session_timeout = time()+60*60*24*30;
   try
   {
   $pdo = new PDO('mysql:host=localhost;dbname=blog', 'Avik', '');
   }
   catch (PDOException $e)
   {
    $output = 'Unable to connect to the database server.';
    echo $output;
    exit();
    }   

  try
  {
   $sql = "SELECT password, fullname, active FROM ".$mysql_table." WHERE username = :username AND password = :password";
   $statement = $pdo->prepare($sql);
   $statement->bindValue(':username', $_POST['username']);
   $statement->bindValue(':password', md5($_POST['password']));
   $statement->execute();
   $result = $statement->fetchAll(PDO::FETCH_ASSOC);
    if (count($result) == 1)
    {

      if (session_id() == "")
      {
         session_start();
      }

      $_SESSION['username'] = $_POST['username'];
      $_SESSION['fullname'] = $fullname;
      $_SESSION['expires_by'] = time() + $session_timeout;
      $_SESSION['expires_timeout'] = $session_timeout;
      $rememberme = isset($_POST['rememberme']) ? true : false;
      if ($rememberme)
      {
         setcookie('username', $_POST['username'], time() + 3600*24*30);

      }
      header('Location: '.$redirect_page);
      exit;
   }
    else
    {
    header('Location: '.$error_page);
    exit;
    }
 }
   catch (PDOException $e)
   {
    $output = 'Unable to connect to the database server.';
    echo $output;
    exit();
    }

}

is this ok, i mean is it now safe from sql injection??

Eagle.Avik 0 Junior Poster in Training · Answer 3 · 2013-10-28T23:56:07+00:00

and about cryptographic hash algorithm, can anyone give me a link for any tutorial of this!!