CODEWITHSUNDEEP
phpmysqlpdo
Ch33ky
Ch33ky

Reputation: 31

How do I make an if statement which checks if a variable is in the mysql database

try {
    $conn = new PDO("mysql:host=" . $_GLOBALS['servername'] . ";dbname=". $_GLOBALS['dbname'], $_GLOBALS['username'], $_GLOBALS['password']);
    // set the PDO error mode to exception
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    $sql = "SELECT * FROM us WHERE username='$suser' and password='$shashpass'"; // SQL Query

   $conn->exec($sql);

Thats some of my code, how do I make it so if suser and shashpass are correct it can execute some code, else it executes other code

This won't work either

    <?php 
try 
{ 
    $conn = new PDO("mysql:host=" . $_GLOBALS['servername'] . ";dbname=". $_GLOBALS['dbname'], $_GLOBALS['username'], $_GLOBALS['password']); 
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 
    $query = $con->prepare("SELECT * FROM us WHERE username=:user and password=:password"); $query->bindParam(':user',$suser); 
    $query->bindParam(':password',$shashpass); $query->execute(); $result = $query->fetch(PDO::FETCH_ASSOC); 
    if(!empty($result)){ } else { } } 
catch(PDOException $e) {
    echo $sql . $e->getMessage(); 
}

Upvotes: 0

Views: 199

Answers (4)

Mike
Mike

Reputation: 24363

You don't pre-hash the password when verifying it. Instead you SELECT the password hash from that user (if it exists) and then use password_verify() to verify that it's correct based on the plain text password sent by the web form.

$stmt = $conn->prepare("SELECT password FROM us WHERE username=?");
$stmt->execute([$suser]);

if ($user = $stmt->fetch(PDO::FETCH_ASSOC)) {
    if (password_verify($plain_text_password, $user['password'])) {
        // Successful login
    }
    else {
        // Valid user, but invalid password
    }
}
else {
    // User doesn't exist
}

If you're not using password_hash() and password_verify(), You're Doing It Wrong™.

Upvotes: 3

Shiv
Shiv

Reputation: 69

//Use below PDO code

<?php
try {
$conn = new PDO("mysql:host=$servername;dbname=myDB", $username, $password);
// set the PDO error mode to exception
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

echo "Connected successfully"; 
$sql = "SELECT * FROM us WHERE username='$suser' and password='$shashpass'";     
// SQL Query

$conn->exec($sql);

}
catch(PDOException $e)
{
echo "Connection failed: " . $e->getMessage();
}
?>

Upvotes: 0

Arsh Multani
Arsh Multani

Reputation: 1591

you are using PDO in wrong way , you need to use prepared statements in PDO to be secure from mysql injections, try to use the code below: 

 try {
    $conn = new PDO("mysql:host=" . $_GLOBALS['servername'] . ";dbname=". $_GLOBALS['dbname'], $_GLOBALS['username'], $_GLOBALS['password']);
    // set the PDO error mode to exception
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    $query = $con->prepare("SELECT * FROM us WHERE username=:user and password=:password");
    $query->bindParam(':user',$suser);
    $query->bindParam(':password',$shashpass);
    $query->execute();
    $result = $query->fetch(PDO::FETCH_ASSOC);
    if(!empty($result)){
     // user is in database
    } else {

    // user is not there 
    }

Upvotes: 1

jrose
jrose

Reputation: 86

exec will return the number of affected rows so:

$rows = $conn->exec($sql);

if($rows > 0){
    //suser and shashpass are correct
}else{
    //suser and shashpass are incorrect
}

Upvotes: 0

Related Questions