CODEWITHSUNDEEP
phpmysqlpdo
user782104
user782104

Reputation: 13555

convert mysql to PDO statement

This is the login function written using MySQL way However, the problem exists when it convert into PDO way

MYSQL:

    <?
function confirmUser($username, $password){
   global $conn;
   if(!get_magic_quotes_gpc()) {
    $username = addslashes($username);
   }

   /* Verify that user is in database */
   $q = "select UserID,UserPW from user where UserID  = '$username'";
   $result = mysql_query($q,$conn);
   if(!$result || (mysql_numrows($result) < 1)){
      return 1; //Indicates username failure
   }

   /* Retrieve password from result, strip slashes */
   $dbarray = mysql_fetch_array($result);
   $dbarray['UserPW']  = stripslashes($dbarray['UserPW']);
   $password = stripslashes($password);

   /* Validate that password is correct */
   if($password == $dbarray['UserPW']){
      return 0; //Success! Username and password confirmed
   }
   else{
      return 2; //Indicates password failure
   }
}

PDO:

<?
function confirmUser($username, $password){
   global $conn;

   include("connection/conn.php");

   $sql = '
    SELECT   COALESCE(id,0) is_row
    FROM     user
    WHERE    UserID = ?
    LIMIT 1
';

$stmt = $conn->prepare($sql);
$stmt->execute(array('09185346d'));
$row = $stmt->fetch();

if ($row[0] > 0) {
       $sql = '
    SELECT   COALESCE(id,1) is_row
    FROM     user
    WHERE    UserPW = ?
    LIMIT 1
';
$stmt = $conn->prepare($sql);
$stmt->execute(array('asdasdsa'));
$row = $stmt->fetch();
    if ($row[0] > 0) 
    return 2;
    else
    return 0;
}
elseif ($row[0] = 0)
{return 1;}   



}

What is the problem ?? And is it necessary to include bind parameter in PDO??? THANKS

Upvotes: 1

Views: 748

Answers (1)

lll
lll

Reputation: 12889

Aside from your use of global and your include inside the function (you should investigate an alternative way of structuring your function not to do this), I would change the code as follows:

$sql =
    'SELECT  id
    FROM     user
    WHERE    UserID = ?
    AND      UserPW = ?
    LIMIT 1';

$stmt = $conn->prepare($sql);
$stmt->execute(array(
    '09185346d',
    'asdasdsa'
));

if ($stmt->rowCount() == 1) {
    return 0;
}
else {
    return 1;
}

Combing the queries to give a general Authentication error, instead of allowing people to trial valid usernames, and then valid passwords, and then using PDOStatements rowCount method do see if your row was returned.

To answer your second part, it is not necessary to specifically use bindParam to prevent SQL injection.

Here's a quick example of the difference between bindParam and bindValue

$param = 1;

$sql = 'SELECT id FROM myTable WHERE myValue = :param';
$stmt = $conn->prepare($sql);

Using bindParam

$stmt->bindParam(':param', $param);
$param = 2;
$stmt->execute();

SELECT id FROM myTable WHERE myValue = '2'

Using bindValue

$stmt->bindValue(':param', $param);
$param = 2;
$stmt->execute();

SELECT id FROM myTable WHERE myValue = '1'

Upvotes: 1

Related Questions