0

I'm using slim for my framework and whenever I test it on Postman the the php cant read the parameters but when i convert it to md5 the php now can read the request. What could be my problem. The server is sending me null. Here is my code

DBOperations.php

    //Method for user login
function userLogin($userName, $userPassword)
{
    $password = md5($userPassword);
    $stmt = $this->con->prepare("SELECT userID FROM users WHERE userName = ? AND userPassword = ?");
    $stmt->bind_param("ss", $userName, $password);
    $stmt->execute();
    $stmt->store_result();
    return $stmt->num_rows > 0;
}

index.php

//user login route
$app->post('/login', function (Request $request, Response $response) {
if (isTheseParametersAvailable(array('userName', 'userPassword'))) {
    $requestData = $request->getParsedBody();
    $userName = $requestData['userName'];
    $userPassword = $requestData['userPassword'];
    $password = md5($userPassword);

    $db = new DbOperation();

    $responseData = array();

    if ($db->userLogin($userName, $userPassword)) {
        $responseData['error'] = false;
        $responseData['username'] = $db->getByUserName($userName);
    } else {
        $responseData['error'] = true;
        $responseData['message'] = $password;
    }

    $response->getBody()->write(json_encode($responseData));
}
});

When the password is md5 

{"error":true,"message":"d41d8cd98f00b204e9800998ecf8427e"}

When the password is not

{"error":true,"message":null}
oakman
  • 13
  • 3
  • Dont use md5 for passwords `d41d8cd98f00b204e9800998ecf8427e` is md5 of null: https://3v4l.org/OubSD, Also do you know your md5ing it twice, both in the controller and in the model. – Lawrence Cherone Mar 12 '18 at 03:42
  • First you should not use the password in the WHERE clause, because most the time MySQL is not case sensitive(password hashes should be), also you should check it using an approved (cyptologically secure) comparison function. – ArtisticPhoenix Mar 12 '18 at 03:48
  • @LawrenceCherone - So it means im not getting any values at all? – oakman Mar 12 '18 at 03:52
  • Dump out `$requestData` to see what it contains. And enable error reporting. – Lawrence Cherone Mar 12 '18 at 03:55
  • `$requestData` contains NULL when i used var_dump. I can't see where I'm not getting any values. @LawrenceCherone – oakman Mar 12 '18 at 03:58
  • It depends on how you setup the request in postman, see https://stackoverflow.com/questions/42198836/slim-3-getparsedbody-always-null-and-empty – Lawrence Cherone Mar 12 '18 at 03:59

1 Answers1

0

You should do something like this

function userLogin($userName, $userPassword)
{

    $stmt = $this->con->prepare("SELECT userID, password FROM users WHERE userName = ?");
    $stmt->bind_param("s", $userName);
    $stmt->execute();
    $stmt->store_result();

    $stmt->bind_result( $userID , $password);
    $result = $stmt->fetch();


    if( password_verify($userPassword, $password)){
        return true;
    }
    return false;
}

I don't use Mysqli, so I hope I got that part right.

The important thing is that you should not use the password as part of the WHERE clause. There are several reasons for this

  • your relying on getting a result instead of checking the result against input data. If there is a problem with your query it could allow logins when it shouldn't
  • your not checking the password using a secure method designed for doing it.

Etc.

You should use

password_hash

And

password_verify

ArtisticPhoenix
  • 21,464
  • 2
  • 24
  • 38