0
try {
    $conn = new PDO("mysql:host=" . $_GLOBALS['servername'] . ";dbname=". $_GLOBALS['dbname'], $_GLOBALS['username'], $_GLOBALS['password']);
    // set the PDO error mode to exception
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    $sql = "SELECT * FROM us WHERE username='$suser' and password='$shashpass'"; // SQL Query

   $conn->exec($sql);

Thats some of my code, how do I make it so if suser and shashpass are correct it can execute some code, else it executes other code

This won't work either

    <?php 
try 
{ 
    $conn = new PDO("mysql:host=" . $_GLOBALS['servername'] . ";dbname=". $_GLOBALS['dbname'], $_GLOBALS['username'], $_GLOBALS['password']); 
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); 
    $query = $con->prepare("SELECT * FROM us WHERE username=:user and password=:password"); $query->bindParam(':user',$suser); 
    $query->bindParam(':password',$shashpass); $query->execute(); $result = $query->fetch(PDO::FETCH_ASSOC); 
    if(!empty($result)){ } else { } } 
catch(PDOException $e) {
    echo $sql . $e->getMessage(); 
}
Hkachhia
  • 4,463
  • 6
  • 41
  • 76
Ch33ky
  • 31
  • 7
  • 3
    you are using `PDO` incorrectly making it vulnerable to SQL injections – cmorrissey Nov 10 '15 at 21:46
  • How can I correct it? – Ch33ky Nov 10 '15 at 21:47
  • pdo prepared statements http://php.net/manual/en/pdo.prepared-statements.php – zod Nov 10 '15 at 21:50
  • try as hard as you can **not** to use `$_GLOBALS` , there are some limited cases for them but as much as possible there are better ways of programming PHP now. http://stackoverflow.com/questions/12445972/stop-using-global-in-php – Martin Nov 10 '15 at 21:56

4 Answers4

3

You don't pre-hash the password when verifying it. Instead you SELECT the password hash from that user (if it exists) and then use password_verify() to verify that it's correct based on the plain text password sent by the web form.

$stmt = $conn->prepare("SELECT password FROM us WHERE username=?");
$stmt->execute([$suser]);

if ($user = $stmt->fetch(PDO::FETCH_ASSOC)) {
    if (password_verify($plain_text_password, $user['password'])) {
        // Successful login
    }
    else {
        // Valid user, but invalid password
    }
}
else {
    // User doesn't exist
}

If you're not using password_hash() and password_verify(), You're Doing It Wrong™.

Mike
  • 23,542
  • 14
  • 76
  • 87
  • You're storing the passwords in plain text? If so, see http://stackoverflow.com/questions/1581610/how-can-i-store-my-users-passwords-safely/1581919 – Mike Nov 10 '15 at 22:00
  • No, im storing it in md5, im going to switch it over to password_hash – Ch33ky Nov 11 '15 at 19:34
1

you are using PDO in wrong way , you need to use prepared statements in PDO to be secure from mysql injections, try to use the code below: 

 try {
    $conn = new PDO("mysql:host=" . $_GLOBALS['servername'] . ";dbname=". $_GLOBALS['dbname'], $_GLOBALS['username'], $_GLOBALS['password']);
    // set the PDO error mode to exception
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    $query = $con->prepare("SELECT * FROM us WHERE username=:user and password=:password");
    $query->bindParam(':user',$suser);
    $query->bindParam(':password',$shashpass);
    $query->execute();
    $result = $query->fetch(PDO::FETCH_ASSOC);
    if(!empty($result)){
     // user is in database
    } else {

    // user is not there 
    }
Arsh Singh
  • 1,580
  • 1
  • 11
  • 31
0

exec will return the number of affected rows so:

$rows = $conn->exec($sql);

if($rows > 0){
    //suser and shashpass are correct
}else{
    //suser and shashpass are incorrect
}
jrose
  • 86
  • 5
0
//Use below PDO code

<?php
try {
$conn = new PDO("mysql:host=$servername;dbname=myDB", $username, $password);
// set the PDO error mode to exception
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

echo "Connected successfully"; 
$sql = "SELECT * FROM us WHERE username='$suser' and password='$shashpass'";     
// SQL Query

$conn->exec($sql);

}
catch(PDOException $e)
{
echo "Connection failed: " . $e->getMessage();
}
?>
Shiv
  • 69
  • 3