0

I'm trying to secure my database from SQL-injections and I can't seem to make this statement to work. I've done this a few times already and those attempts work but not this one.

$stmt = $db->prepare("SELECT name, pass, email FROM users WHERE salt=?");

$stmt->bind_param("s", $salt); 
$stmt->execute(); 
$stmt->bind_result($stuff1,$stuff2,$stuff3);
$stmt->store_result();
while ( $stmt->fetch() ) {
  var_dump($stuff1." - ".$stuff2." - ".$stuff3."<br />");
  }
$stmt->free_result();
$stmt->close();

I've managed to get that it works all the way to execute by placing var_dumps but I don't get why the results/fetch don't work. Is there a simple explanation to what I've missed?

EDIT: What I'm expecting is to retrieve name, pass and email from my table but instead I just get NULL.

  • 3
    Welcome to Stack Overflow! Can you elaborate on how your code "doesn't work"? What were you expecting, and what actually happened? If you got an exception/error, post the line it occurred on and the exception/error details. Please [edit] these details in or we may not be able to help. – Blue Jan 26 '18 at 18:54
  • 1
    **Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jan 26 '18 at 18:55
  • error reporting and `mysqli_error($db)` are a good start. – Funk Forty Niner Jan 26 '18 at 18:56
  • 1
    your methods are out of order. – Funk Forty Niner Jan 26 '18 at 18:58
  • 1
    @IncredibleHat it's valid, just not in the right spot, as is some of their other methods. – Funk Forty Niner Jan 26 '18 at 18:59
  • **WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](https://laravel.com/docs/master/authentication) built-in. At the absolute least follow [recommended security best practices](http://www.phptherightway.com/#security) and **never store passwords with a weak, high-speed hash like SHA1 or MD5**. – tadman Jan 26 '18 at 19:09

1 Answers1

2

Try this:

if($stmt = $db->prepare("SELECT name, pass, email FROM users WHERE salt=?")) {
    $stmt->bind_param("s", $salt); 
    $stmt->execute(); 
    $stmt->bind_result($name, $pass, $email);
    while ($stmt->fetch()) {
        echo "{$name} - {$pass} - {$email}<br>";
    }
    $stmt->close();
} else {
    print_r($db->errorInfo()); 
}

Key changes are checking if $stmt is set before any parameters do anything. You also don't need store_result() or free_result(). Also, I added an else statement that should display an error if $stmt was not able to be set.

Note: You should use PHP's built-in functions (password_hash() and password_verify()) to handle password security. If you're using a PHP version less than 5.5 you can use the password_hash() compatibility pack. It is not necessary to escape passwords or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding.

GrumpyCrouton
  • 8,486
  • 7
  • 32
  • 71
  • Selecting by salt is an extremely concerning thing to be doing in the first place. – tadman Jan 26 '18 at 19:08
  • @tadman Yes it is. I've put a notice to not store plain text passwords, I assume if the OP fixed that it would fix searching by salt by proxy. – GrumpyCrouton Jan 26 '18 at 19:10
  • A salt is necessary, but saving it in a separate column is a technique that faded out in the 1990s. The Bcrypt format embeds the salt in the final hash. I don't think these passwords are plain-text, but they seem to be badly implemented. – tadman Jan 26 '18 at 19:13
  • @tadman Right, so storing the passwords using `password_hash()` as I mentioned in my answer would inevitably force OP to stop searching by salt because it would no longer be being used. – GrumpyCrouton Jan 26 '18 at 19:14
  • I think that's a good idea to use `password_hash`, absolutely, but I don't think they're plain-text, that's all. – tadman Jan 26 '18 at 19:16
  • 1
    @tadman I removed that part from my answer :) – GrumpyCrouton Jan 26 '18 at 19:17