Home/ Questions/Q 7278863
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T22:56:01+00:00

This is the login function written using MySQL way However, the problem exists when

  • 0

This is the login function written using MySQL way
However, the problem exists when it convert into PDO way

MYSQL:

    <?
function confirmUser($username, $password){
   global $conn;
   if(!get_magic_quotes_gpc()) {
    $username = addslashes($username);
   }

   /* Verify that user is in database */
   $q = "select UserID,UserPW from user where UserID  = '$username'";
   $result = mysql_query($q,$conn);
   if(!$result || (mysql_numrows($result) < 1)){
      return 1; //Indicates username failure
   }

   /* Retrieve password from result, strip slashes */
   $dbarray = mysql_fetch_array($result);
   $dbarray['UserPW']  = stripslashes($dbarray['UserPW']);
   $password = stripslashes($password);

   /* Validate that password is correct */
   if($password == $dbarray['UserPW']){
      return 0; //Success! Username and password confirmed
   }
   else{
      return 2; //Indicates password failure
   }
}

PDO:

<?
function confirmUser($username, $password){
   global $conn;

   include("connection/conn.php");

   $sql = '
    SELECT   COALESCE(id,0) is_row
    FROM     user
    WHERE    UserID = ?
    LIMIT 1
';

$stmt = $conn->prepare($sql);
$stmt->execute(array('09185346d'));
$row = $stmt->fetch();

if ($row[0] > 0) {
       $sql = '
    SELECT   COALESCE(id,1) is_row
    FROM     user
    WHERE    UserPW = ?
    LIMIT 1
';
$stmt = $conn->prepare($sql);
$stmt->execute(array('asdasdsa'));
$row = $stmt->fetch();
    if ($row[0] > 0) 
    return 2;
    else
    return 0;
}
elseif ($row[0] = 0)
{return 1;}   



}

What is the problem ?? And is it necessary to include bind parameter in PDO??? THANKS

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Aside from your use of global and your include inside the function (you should investigate an alternative way of structuring your function not to do this), I would change the code as follows:

    $sql =
    'SELECT  id
    FROM     user
    WHERE    UserID = ?
    AND      UserPW = ?
    LIMIT 1';

$stmt = $conn->prepare($sql);
$stmt->execute(array(
    '09185346d',
    'asdasdsa'
));

if ($stmt->rowCount() == 1) {
    return 0;
}
else {
    return 1;
}

    Combing the queries to give a general Authentication error, instead of allowing people to trial valid usernames, and then valid passwords, and then using PDOStatements rowCount method do see if your row was returned.

    To answer your second part, it is not necessary to specifically use bindParam to prevent SQL injection.

    Here’s a quick example of the difference between bindParam and bindValue

    $param = 1;

$sql = 'SELECT id FROM myTable WHERE myValue = :param';
$stmt = $conn->prepare($sql);

    Using bindParam

    $stmt->bindParam(':param', $param);
$param = 2;
$stmt->execute();

    SELECT id FROM myTable WHERE myValue = ‘2’

    Using bindValue

    $stmt->bindValue(':param', $param);
$param = 2;
$stmt->execute();

    SELECT id FROM myTable WHERE myValue = ‘1’

    • 0