-1

I'm trying to practice PDO. Reading some guides but i don't know what error is this. Any help would be greatly appreciated.

config.php

<?php
try {
    $db = new PDO('mysql:host=localhost;dbname=phpdb;charset=utf8mb4', 
'root', 
'Asdqwe123');
     if (!$db) {
        die('Connect from database error');
    }
} catch (Exception $e) {
    echo $e->getMessage();
}
?>

login.php

<?php
require 'config.php';

if (isset($_POST['submit'])) {
    try {
        $username = $_POST['username'];
        $password = $_POST['pass'];

        $stmt = $db->prepare("SELECT * FROM login WHERE user = ? AND pass = 
?");
        $stmt->execute(array($username, $password));
        $row = $stmt->fetch();

        if ($row > 0) {
            echo "Success";
        } else {
            echo "Worng password or Username";
            header('Refresh: 1, url=index.php');
        }
    } catch (Exception $e) {
        $e->getMessage();
    }
}
?>

UPDATED: Thank you! It's all working now. The dsn is incorrect.

mrgx
  • 35
  • 1
  • 7
  • Why not just do `$count = count($result);`? – GrumpyCrouton Nov 22 '17 at 15:43
  • 2
    Why are you using prepared statements and then not use prepared statement functionality? You're still **wide** open to SQL injection. – John Conde Nov 22 '17 at 15:44
  • **Never store plain text passwords!** Please use **PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)** (`password_hash()` and `password_verify()`) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). **It is not necessary** to [escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so _changes_ the password and causes unnecessary additional coding. – GrumpyCrouton Nov 22 '17 at 15:44
  • [Little Bobby](http://bobby-tables.com/) says **[you may be at risk for SQL Injection Attacks](https://stackoverflow.com/q/60174/)**. Learn about [Prepared Statements](https://en.wikipedia.org/wiki/Prepared_statement) with [parameterized queries](https://stackoverflow.com/a/4712113/5827005). I recommend `PDO`, which I [wrote a class for](https://github.com/GrumpyCrouton/GrumpyPDO) to make it extremely easy, clean, and more secure than using non-parameterized queries. Also, [This article](https://phpdelusions.net/pdo/mysqli_comparison) may help you choose between `MySQLi` and `PDO`' – GrumpyCrouton Nov 22 '17 at 15:45
  • this is a simple solution; see what's *extra*. – Funk Forty Niner Nov 22 '17 at 15:45
  • 1
    PDO dsn in __incorrect__ – u_mulder Nov 22 '17 at 15:45
  • @u_mulder on top of what's "extra" ;-) someone missed something. – Funk Forty Niner Nov 22 '17 at 15:53
  • Also result of `fetch` method with `FETHC_ASSOC` type will never have `rowCount()` method. – u_mulder Nov 22 '17 at 15:59

1 Answers1

1

I think your issue is the connection string. localhost, dbname should be localhost; dbname

CptMisery
  • 612
  • 4
  • 15