1

I have to develop a administrative system at my work (we usually don't do that, but one client have a very specific need, so we skipped from WordPress to pure PHP, MySQL and HTML5), I'm using PHP and MySQL, but i can't get the stored functions on MySQL working in PHP, I had tested it in phpMyAdmin and it works fine.

All I'm trying to do right now is a login webpage.

My code:

require 'connect.php';

function query($query) {
    $connection = connect_db();

    $result = mysqli_query($connection,$query);

    return $result;
}

function validateUser($email, $password) {
    $connection = connect_db();
    $query = "SELECT email, password FROM usuario WHERE email =". $email ."AND password =" . $password ."";
    $result = mysqli_query($connection,$query);
    return $result;
}

function login($email, $password) {
    $validate = validateUser($email,$password);
    if($validate == 1) {        
        session_start();

        //NOT IMPORTANT

        header('Location:http://www.google.com/');
        }
    } else {
        echo 'error';
    }
}
halfer
  • 19,824
  • 17
  • 99
  • 186
Joao
  • 11
  • 1
  • 2
    You need to change this `email =". $email ."` to `email ='". $email ."'"` Basically, they needs to be in quotes. – Milan Chheda Aug 07 '17 at 14:28
  • 1
    @MilanChheda Turn the tide against teaching/propagating sloppy and dangerous coding practices. If you post an answer without prepared statements [you may want to consider this before posting](http://meta.stackoverflow.com/q/344703/). Additionally a [more valuable answer comes from showing the OP the right method](https://meta.stackoverflow.com/a/290789/1011527). – GrumpyCrouton Aug 07 '17 at 14:30
  • 1
    @joao [Little Bobby](http://bobby-tables.com/) says **[your script is at risk for SQL Injection Attacks](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)**. Learn about [Prepared Statements](http://en.wikipedia.org/wiki/Prepared_statement) for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even **[escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string)** is not safe! – GrumpyCrouton Aug 07 '17 at 14:30
  • @joao If you need help learning how to use [PDO](http://php.net/manual/en/book.pdo.php) for safe and secure queries, then you can check out [this answer that I wrote](https://stackoverflow.com/a/45514591/5827005) that demonstrates a function that I wrote that makes [Prepared Statements](https://www.w3schools.com/php/php_mysql_prepared_statements.asp) **easy**, **clean**, and **secure**. – GrumpyCrouton Aug 07 '17 at 14:31
  • Thanks @GrumpyCrouton – Joao Aug 07 '17 at 14:34
  • I will check PDO – Joao Aug 07 '17 at 14:34
  • Mysqli can safely be used, you need to parameterize the queries. http://php.net/manual/en/mysqli.quickstart.prepared-statements.php Also are your passwords hashed or plain text? – chris85 Aug 07 '17 at 14:36
  • @chris85 appears to be plaintext as a literal string check is used. And my 2nd comment says MySQLi can be used ^.^ - my 3rd comment just links to a function I made that makes PDO really really easy (not that it wasn't already easier than mysqli) – GrumpyCrouton Aug 07 '17 at 14:37
  • @chris85 at first I'm using plaintext passwords only for testing purpose – Joao Aug 07 '17 at 14:45
  • 1
    Note that your `Location` header should be followed by an `exit()` otherwise it could suffer from a race condition - the `header()` itself does not terminate the script. – halfer Aug 07 '17 at 17:19

0 Answers0