-3

I can't get the value of a variable inside a while loop. Here's my code:

function checkLogin($username, $password) {
        global $dbh;            
        global $queryPassword;

        $query2 = $dbh->query("SELECT * FROM employee_accounts WHERE username='$username' AND `password`='$password'; ");
        $query2 ->setFetchMode(PDO::FETCH_ASSOC);

        while($row=$query2->fetch()) {
            $queryUsername = $row['username'];
            $queryPassword = $row['password'];
        }

        if(password_verify($password, $queryPassword)) {

            echo '<script>alert("Success ");
            windows: location="../../index.php";</script>';
        } else {
            echo '<script>alert("fail ");
            windows: location="../../index.php?v='.$queryPassword.'";</script>';
        }


    }

When I put the $queryPassword in the url, the value is empty. Your suggestions and solutions will be very helpful. Thank you.

krb.js
  • 37
  • 10
  • [You need to prevent SQL Injection!](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Add error reporting to the top of your file(s) right after your opening ` – Jay Blanchard Mar 16 '15 at 18:53
  • Is the stored password hashed or plain text? Hard to tell due to the confusion in what you're doing with it. – developerwjk Mar 16 '15 at 18:59
  • The stored password is hashed. @developerwjk – krb.js Mar 16 '15 at 19:00
  • I agree with @JayBlanchard; in addition to needing to prepare your statement to avoid SQL injection, it also appears you are calling JavaScript eval() on the response, which is also dangerous. Answering this question would be irresponsible unless you re-engineer for security and restate. –  Mar 16 '15 at 19:03
  • ^ Also trying to redirect with the password in a parameter like `?v=password` is a bad idea. You might want to use a param like `?error=true` to tell there was an authentication error, but certainly not to put the password there. – developerwjk Mar 16 '15 at 19:05
  • Yeah, I know that. But I just put it there to see if the variable $queryPassword has a value. @developerwjk – krb.js Mar 16 '15 at 19:09
  • use var_dump() if you want to check a variable's content. – Gokigooooks Mar 16 '15 at 19:14
  • I used var_dump and the return is null. – krb.js Mar 16 '15 at 19:20

1 Answers1

0

Dont use global for your password! That can cause problems with maintaining. change it to another type like private, or protected.

and also change your query to something more secure like this,

 $stmt = $dbh->prepare("SELECT * FROM employee_accounts WHERE username= :user AND `password`= :pass; ");
 $stmt->execute(array(':user'=> $username ,':pass'=> $password ));
 $query2 ->setFetchMode(PDO::FETCH_ASSOC);

This way the user inputs are escaped.

Gokigooooks
  • 794
  • 10
  • 20
  • Still only a partial answer. The password is stored hashed, but this will be querying as if its stored in plain text. You need to run `password_hash()` on the password before doing this query. – developerwjk Mar 16 '15 at 19:10
  • Also this doesn't address the problem of how usernames should be unique in a table with a `unique` constraint, meaning there should be no need for a `while` loop but instead an `if` statement. – developerwjk Mar 16 '15 at 19:11
  • And it doesn't touch the issue of trying to redirect in Javascript when it ought to be done in PHP. – developerwjk Mar 16 '15 at 19:12
  • yeah I missed all those cause of focusing on the question. please revise my answer appropriately to your perspective. – Gokigooooks Mar 16 '15 at 19:13
  • Still doesn't work. I just want to get the value of the variable $queryPassword inside the while-loop. – krb.js Mar 16 '15 at 19:16