I'm creating a login system of sorts that uses parameters from the URL.
The parameters are set no problem. I dont know what the issue is.
Here's my code:
<?php
require_once("db_const.php");
$mysqli = new mysqli("dont", "try", "to login to", "my database");
# check connection
if ($mysqli->connect_errno) {
echo "<p>MySQL error no {$mysqli->connect_errno} : {$mysqli->connect_error}</p>";
exit();
}
$username = filter_input(INPUT_GET,"username",FILTER_SANITIZE_STRING);
$password = filter_input(INPUT_GET,"password",FILTER_SANITIZE_STRING);
$sql = "SELECT * from users WHERE username LIKE '{$username}' AND password LIKE '{$password}' LIMIT 1";
$result = $mysqli->query($sql);
if (!$result->num_rows == 1) {
echo "failed";
} else {
echo "success";
}
?>
There are a few problems with your code.
The problem is the use of the LIKE function. Your usage is
SELECT * from users WHERE username LIKE '{$username}' AND password LIKE '{$password}' LIMIT 1
Like requires additional specification to find match positions and such, for example :
SELECT ... WHERE username LIKE '%{$username}%'
In the form you used, the WHERE clause if equivalent to
SELECT ... WHERE username = '{$username}'
In addition, LIKE is not recommended even (especially) with the wildcards, as 'tom' will match users 'tom' and 'tommy', and the count will certainly not be == 1.
I'll also urge you to test the query for errors
if (!$result) {
echo 'An error occurred : $mysqli->error;
}
Others have already mentioned the risk in passwing username and passwords on the URL, Please take note of their comments.
In addition, storing the password in plain form the database is not recommended for security reasons. There are plenty of resources explaining how to encrypt passwords and authenticate using the encrypted values.
Try:
$sql = "SELECT * from users WHERE username='$username' AND password='$password'";
CAUTION
Even if the above code solves your problem, It's still very dangerous as it's vulnerable for SQL injection on both username and password parameters and it can be exploited in a manner that a malicious user can bypass the login check by breaking out of the quotes and adding a condition that evaluates to true.
You can use a mysqli::prepare to get over that.
$stmt = mysqli->prepare("SELECT * from users WHERE username=? AND password=?");
$stmt->bind_param("ss", $username,$password);
$stmt->execute();
Related
I want my users to be able to sign in using their accounts, so I created an html form and a php file that will communicate with mySQL database.
The php code is supposed to check whether the username and password are correct and exist in the database. If so the user is granted access. I am thinking such algorithm:
<?php
//connection_start
$mysqli = new mysqli('mysql3.000webhost.com','a4305565_os','******','a4305565_users');
//check_connection
if($mysqli->connect_error){
die("Connection error (check_connection): " . $mysqli->connect_errno . " : " . $mysqli->connect_error );
exit();
}
//check_if_account_exists
$query = mysql_query("SELECT * FROM `users` where `username` = '$_POST[form_username]' AND `password` = '$_POST[form_password]'") or die(mysql_error());
$row = mysql_fetch_array($query) or die(mysql_error());
//verification
if(!empty($row['username']) AND !empty($row['password'])){
echo "SUCCESSFULLY SIGNED IN.";
}else{
die("Your are not registered yet.");
}
//Connection_end
$mysqli->close();
?>
But when I test the code on my web host, it is giving me an error on line 14 saying that I
do not have access to the database "a4305565_users" with password=NO
or something like that.
Any help please?
Your user don't have any rights on a4305565_users schema.
Edit your user privileges to give him the rights to use this schema.
Also it's kind of weird that you are creating a schema named "users", this sounds more like a table name.
And, as a word of advice, you should hash your users password, it's a very bad practice to store them in plain text.
Also, you can salt your hashes.
Look at this : https://en.wikipedia.org/wiki/Salt_(cryptography)
i have searched and added some prevention code but i need expert advice am i correct ?
I have made seperate file for SQL connect but i have confusion whether i should use include, require, include_onces or any other ?
mysql_connect("localhost", "userr", "pass") or die(mysql_error()) ;
mysql_select_db("databse") or die(mysql_error()) ;
Here i have added two things UTF8 and mysql_real_escape_string.
$bad='anyone123';
$var = mysql_real_escape_string($bad);
$q = mysql_query('SET user_id UTF8');
$q = mysql_query("SELECT * FROM fbusers WHERE user_id = '$var'");
$r = mysql_fetch_array($q);
Please give me advice if how can i prevent injec. to 100%
i don't want my website to be hacked :(
Thank you
You need to use prepared statements for any queries that require user input. This sends the query and the parameters seperately and acts as a layer of security to catch any malicious input.
In PDO:
$stmt = $pdo->prepare("SELECT * FROM fbusers WHERE user_id = :var");
$stmt->execute(array(':var'=>$var));
In mysqli:
$stmt = $dbConnection->prepare('SELECT * FROM fbusers WHERE user_id = ?');
$stmt->bind_param('s', $var);
$stmt->execute();
Maybe this post would help.
$username = $_POST['username'];
$password = $_POST['password'];
$passworda = $_POST['passworda'];
$email = $_POST['email'];
if ($password == $passworda){
echo 'this is the user name to be chacked:' .$username .'<br>';
$query = "SELECT username FROM mishta where username=$username";
$queryrun = mysql_query($query);
echo $queryrun .'<br>';
echo mysql_num_rows($queryrun) .'<br>';
if (mysql_num_rows($queryrun)!=1){
mysql_query("INSERT INTO mishta(id, username, password, email) VALUES ('', '$username','$password','$email')");
}
else{
echo 'user already exist';
}
Hello there,
I'm trying to make a simple registration form, I get useername from html form and I want to make sure it doesn't already exist in my database.
the thing is that whenever I run the username as a number (1,2,3...) it runs smoothly.
but, when I try to write anything with letter, like Bob or Dora I get the following error:
Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in...
Yet the information is still being stored my my data base, means it got false on the last if statement, and it will continue to get false (It will just insert duplicates if I try again).
Any help would be appreciated.
You forgot the quotes around the username:
$query = "SELECT username FROM mishta where username='$username'"
Quotes are used as string delimiter. Numbers are not string and it works if you use a number.
mysql_real_escape_string is preventing the unsanitized fields with bad characters from being added to the database. I don't want to have to specify all the fields on each form (since that's both cumbersome to do for each field and doesn't accommodate special characters which people may include or typos), but at the moment this code prevents anything from being inserted if any threatening characters are present in the unsanitized fields but still advances to the next page.
I'm also using jQuery validate on this page, but haven't been able to use that to prevent SQL injection.
function clean($str) {
$str = #trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}
//Sanitize the POST values
$user_name = clean($_POST['user_name']);
$password = clean($_POST['password']);
//Create INSERT query
$qry = "INSERT INTO customer_info(fname, lname, gender, zip, email, phone, terms, security_question, security_answer, participating_retailers, notify_new_items, notify_promotions, priority1, priority2, priority3, priority4, priority5, privacy, user_name, password)
VALUES('$_POST[fname]','$_POST[lname]','$_POST[gender]','$_POST[zip]','$_POST[email]','$_POST[phone]','$_POST[terms]','$_POST[security_question]','$_POST[security_answer]','$_POST[participating_retailers]','$_POST[notify_new_items]','$_POST[notify_promotions]','$_POST[priority1]','$_POST[priority2]','$_POST[priority3]','$_POST[priority4]','$_POST[priority5]','$_POST[privacy]','$user_name','$password')";
$result = #mysql_query($qry);
$qry="SELECT * FROM customer_info WHERE user_name='$user_name' AND password='$password'";
$result=mysql_query($qry);
session_regenerate_id();
$member = mysql_fetch_assoc($result);
$_SESSION['SESS_USER_ID'] = $member['user_id'];
$_SESSION['SESS_FIRST_NAME'] = $member['fname'];
$_SESSION['SESS_LAST_NAME'] = $member['lname'];
session_write_close();
header("location: flatter-form.html");
exit();
mysql_query has been deprecated. PDO or mysqli both provide security against SQL injections. In addition to both having escaping functionality, PDO has the ability to also quote the string. Using prepared and parameterized queries makes it almost impossible for an attacker to inject SQL.
$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute(array(':name' => $name));
foreach ($stmt as $row) {
// do something with $row
}
Sample from: Prepared statements
Take a look at PDO vs. MySQLi.
I have a custom table called wp_purchases that is added to by a Paypal IPN, it has the columns post_id, purchase_id, username, email and changes:
$user = $_POST['username'];
$post_id = $post->ID;
global $wpdb;
$wpdb->purchases = $table_prefix . 'purchases';
$result = $wpdb->query("SELECT * FROM $wpdb->purchases WHERE username = $user AND post_id = $post_id");
if ($result) {...
I'm just trying to check if there is a purchase under a certain username in a single .php theme page and then perform an operation unrelated to the $result.
It won't work though, any way I try it comes up with null. Is it something to do with using $wpdb->purchases or not including a certain file or something else? I've also tried it with get_results and get_row with no luck.
Try this :
$result = $wpdb->query("SELECT * FROM `".$wpdb->purchases."` WHERE username = '$user' AND post_id = '$post_id';");
I gave up and just used
$result = $wpdb->query("SELECT * FROM wp_purchases WHERE username = $user AND post_id = $post_id");
because it's for a single site and doesn't really need the table prefix, it'll always be wp_
I know it's too late for this answer, but I'll still post it for the sake of others who are also having similar issue.
You mentioned that the query still returns nothing even after removing the WHERE part, have you tried to echo $wpdb->purchases variable? It might just returning you a string "purchases" instead of "wp_purchases" (assuming that your table prefix is "wp_"). Try using $wpdb->prefix instead of $table_prefix, or $wpdb->base_prefix if you got a multisite.
$wpdb->purchases = $wpdb->prefix . 'purchases';
What type of username? I assume it stores string data. So variable $user must be quoted:
"SELECT * FROM $wpdb->purchases WHERE username = \"$user\" AND post_id = $post_id"