-2

I have a question about my code. The problem is that when i say echo $collumB than he shows the student_city. that is in my database but i want that it shows the decrypted password. It just shows the wrong data

(there is an another page where i encrypt the password but i need the decrypted password echo'ed

<html>
<head>
    <title>insert data in database using PDO(php data object)</title>
    <link rel="stylesheet" type="text/css" href="style-login.css">
</head>
<body>

    <div id="main">
        <h1>Login using PDO</h1>
    <div id="login">
        <h2>Login</h2>
        <hr/>
        <form action="" method="post">
            <label>Email :</label>
            <input type="email" name="stu_email" id="email" required="required" placeholder="john123@gmail.com"/><br/><br />
            <label>Password :</label>
            <input type="password" name="stu_ww" id="ww" required="required" placeholder="Please Enter Your Password"/><br/><br />
            <input type="submit" value=" Submit " name="submit"/><br />
        </form>
    </div>

    </div>

    <?php
    //require ("encrypt.php"); 
        if(isset($_POST["submit"])){
            $hostname='localhost';
            $username='root';
            $password='';
            $pdo = "college";
            $student_email = $_POST["stu_email"];
            $encrypt_key = "4ldetn43t4aed0ho10smhd1l";

            try {
                $dbh = new PDO("mysql:host=$hostname;dbname=college","root","$password");                   
                $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

                    // Query
                    $statement = $dbh->prepare("SELECT student_email, student_city, AES_DECRYPT(student_password, '$encrypt_key')
                        AS student_password FROM students WHERE student_email = :student_email ORDER BY student_email ASC");

                    // Assign and execute query
                    $statement->bindParam(':student_email', $student_email, PDO::PARAM_STR);
                        $statement->setFetchMode(PDO::FETCH_ASSOC);
                             $statement->execute();

                    // Get data
                        while($row = $statement->fetch()) {
                            echo "1 ,";                                
                            //$columnA_value = $row['student_city'];
                            $columnB_value = $row['student_password'];
                        }
                        echo "2 ,";
                        echo $columnB_value;
            }

                catch(PDOException $e)
                {
                    echo $e->getMessage();
                }

        }
    ?>
</body>
</html>
M. Schuurman
  • 49
  • 9
  • 2
    Seems that you have not stored encrypted password in database and that is very dangerous. If your database table gets hack by any hacker then he can get access to your website very easily. I will strongly recommend you that store your password by encrypting it with "md5" algorithm. Do check [this link](http://stackoverflow.com/questions/5089841/two-way-encryption-i-need-to-store-passwords-that-can-be-retrieved) how to encrypt/decrypt in php. – PHPExpert Feb 05 '16 at 09:47
  • @PHPExpert [MD5 is a really bad idea if used for passwords.](http://security.stackexchange.com/q/19906/45523) – Artjom B. Feb 06 '16 at 12:13
  • You should never encrypt your user's passwords. You need to use hashing instead with some strong ones being PBKDF2, bcrypt, scrypt and Argon2. Since hash functions are one-way function, you won't be able to "decrypt" the hashes. In order to authenticate your user, you can run the password through the hash function again in order to compare with the hash that is stored in the database. See more: [How to securely hash passwords?](http://security.stackexchange.com/q/211/45523) – Artjom B. Feb 06 '16 at 12:13

1 Answers1

0
SELECT student_email, student_city, CAST(AES_DECRYPT(student_password, '$encrypt_key') AS char(50)) AS student_password FROM students WHERE student_email = :student_email ORDER BY student_email ASC;

Try to explicitly cast it to string. You can change the '50' according to your requirement.

Also your echo is outside while loop, hence it will print only last record if there are more than 1 records.

undefined_variable
  • 6,180
  • 2
  • 22
  • 37