1

I have a JSON POST request being sent to index.php as part of a login application for a mobile device. I'm using an old script so I believe the problem is deprecated syntax with the PHP, as my response JSON is coming back empty. The $user below isn't doing anything as I'm just debugging.

index.php

if (isset($_POST['tag']) && $_POST['tag'] != '') {

// get tag
$tag = $_POST['tag'];

// include db handler
require_once 'include/DB_Functions.php';
$db = new DB_Functions();

// response Array
//$response = array('tag' => $tag, 'error' => FALSE);

// check for tag type
if ($tag == 'login') {

    $id = $_POST['id'];
    $password = $_POST['password'];
    $user_type = $POST['user'];


// test data
    $response = array('tag' => $tag, 'error' => FALSE, 'b' => 2, 'c' => 3, 'd' => 4, 'e' => 5);

    // check for user
    $user = $db->getUserByIdAndPassword($user_type, $id, $password);
        echo json_encode($response);
    }
} else {
    $response["error"] = TRUE;
    $response["error_msg"] = "Required parameter 'tag' is missing!";
    echo json_encode($response);
}

The query is run in this class, which is where I suspect I'm going wrong.

DB_Functions.php

class DB_Functions {

private $db;

// constructor
function __construct() {
    require_once 'DB_Connect.php';
    // connecting to database
    $this->db = new DB_Connect();
    $this->db->connect();

// destructor
function __destruct() {

}


/**
 * Get user by id and password
 */
public function getUserByIdAndPassword($user_type, $id, $password) {
    $t = 'T';
    if ($user_type !== $t) {
        $result = mysqli_query("SELECT * FROM smiths WHERE id = '$id'") or die(mysqli_error());
    } else {
        $result = mysqli_query("SELECT * FROM traders WHERE id = '$id'") or die(mysqli_error());
    }
    // check for result 
    $no_of_rows = mysqli_num_rows($result);
    if ($no_of_rows > 0) {
        $result = mysqli_fetch_array($result);
        $retrieved_password = $result['password'];
        // check for password equality
        if ($retrieved_password == $password) {
            return $result;
        }
    } else {
        // user not found
        return false;
    }
}

}

And finally this class manages the msql connection, I think I need the $con from here for the previous mysqli_query? I'm not sure how to call it.

DB_Connect.php

class DB_Connect {

// constructor
function __construct() {

}

// destructor
function __destruct() {
    // $this->close();
}

// Connecting to database
public function connect() {
    require_once 'include/Config.php';
    // connecting to mysql
    $con = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD);
    // Check connection
    if (!$con)
      {
        die("Connection error: " . mysqli_connect_error());
      }
    // selecting database
    mysqli_select_db($con, DB_DATABASE) or die(mysqli_connect_error());

    // return database handler
    return $con;
}

// Closing database connection
public function close() {
    mysqli_close();
}

}

Could anyone help set me in the right direction? The JSON response is coming back with the error;

W/System.err: org.json.JSONException: End of input at character 0

[EDIT]

Alright so I have taken the following lines from DB_Connect.php and put them into the method in DB_Functions.php.

$con = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD);
mysqli_select_db($con, DB_DATABASE) or die(mysqli_connect_error());

This then allows me to fix the syntax of msqli_query as so;

$result = mysqli_query($con, "SELECT * FROM smiths WHERE id = '$id'") or die(mysqli_error());

This has fixed my issue, however hacky/messy it may seem.

DarkMalice
  • 205
  • 1
  • 11
  • 2
    Your code is vulnerable to [**SQL injection attacks**](https://en.wikipedia.org/wiki/SQL_injection). You should use [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) prepared statements with bound parameters as described in [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Alex Howansky Apr 14 '17 at 18:20
  • `if ($retrieved_password == $password) {` - If the password is wrong, `index.php` doesn't return/echo anything at all (And as @AlexHowansky wrote- You will probably get your website hacked some day with your current implementation) – Alon Eitan Apr 14 '17 at 18:23
  • 1
    And your code implies that you don't encrypt the password in your DB. This is **very dangerous**! Read about [password_hash()](http://php.net/manual/en/function.password-hash.php) and encrypt them in case your database leaks – Alon Eitan Apr 14 '17 at 18:32
  • Thanks, I do know about hashing etc, this is just a basic script to work out why my JSON is not working. – DarkMalice Apr 14 '17 at 18:33
  • 1
    @DarkMalice `if ($tag != 'login') {` then you do `$response["error"] = TRUE; ...` but you don't declare it first as an array so you should first add `$response = array()` – Alon Eitan Apr 14 '17 at 18:40
  • what do you get when you do echo $user? – unixmiah Apr 14 '17 at 18:55
  • 1
    you wrote $user_type = $POST['user']; while the correct syntax is $_POST (like the other variables you used) – valepu Apr 14 '17 at 20:39

1 Answers1

0

I have taken the following lines from DB_Connect.php and put them into the method 'getUserByIdAndPassword' in DB_Functions.php.

$con = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD);
mysqli_select_db($con, DB_DATABASE) or die(mysqli_connect_error());

This then allows me to fix the syntax of msqli_query as so;

$result = mysqli_query($con, "SELECT * FROM smiths WHERE id = '$id'") or die(mysqli_error())

And this kids is why you don't use deprecated code like some Frankenstein madman.

DarkMalice
  • 205
  • 1
  • 11