0

I'm using this method to get make a login Web Service:

function redeem() {
    if (isset($_POST["user"]) && isset($_POST["pass"]) && isset($_POST["computer"])) {
        $user = $_POST['user'];
        $pass = $_POST['pass'];
        $computer = $_POST['computer'];

        $galNumb = "SELECT COUNT(*) FROM Useres WHERE username = ? AND password = ?";
        $stmt = $this->db->prepare($galNumb);
        $stmt->bind_param('ss', $user, $pass);
        $gNumb = $stmt->execute();

        $result = array(
            "success" => "true",
        );
        $this->sendResponse(200, $gNumb);
        return true;
    }
    $this->sendResponse(400, 'Invalid request');
    return false;
}

The problem is that $gNumb always return 1 even when the sql table not contain the username and the password. Any idea what can be the problem?

YosiFZ
  • 7,792
  • 21
  • 114
  • 221
  • Why do you think it's a problem? `gNumb` is `TRUE` if the query is successful, `FALSE` if there's an error. A count of 0 is not an error. – Barmar Feb 12 '19 at 18:32
  • 2
    You need to use `fetch()` to fetch the row that contains the count. – Barmar Feb 12 '19 at 18:32
  • 5
    You should not be storing plain text passwords - have a read of [password_hash](https://stackoverflow.com/questions/30279321/how-to-use-password-hash) – Nigel Ren Feb 12 '19 at 18:34
  • 2
    What's the purpose of `$result`? You assign it but never use it. – Barmar Feb 12 '19 at 18:35
  • Like @NigelRen says best is to use `password_hash()` and `password_verify()` it also protects against timing attacks.. Running `WHERE username = ? AND password = ?` in the SQL might be prone to timing attacks if the password column is also in B-tree index because the algorithm has a pretty much linear time complexity `O(log n)` i was thinking it might be prone to timing attacks.. So i did some tests with altering password hashs length and i noticed the more the hash looked like the password hash the longer MySQL needed to execute most off the runs so i think mine statement might be very true. – Raymond Nijland Feb 12 '19 at 18:48
  • ... still it would require hunderds of thousands requests to get a good average between all the requests to filter out and smooth out internet jitter to get possible matches.. So attacking i think it will be pretty challenging for the scriptkiddies not sure about the "hardcore" hackers/crackers better to be save then sorry right? – Raymond Nijland Feb 12 '19 at 19:01

1 Answers1

1

You forgot to fetch results:

...
 $stmt->bind_param('ss', $user, $pass);
 if ($stmt->execute()) {
      $stmt->bind_result($gNumb);
      $stmt->fetch();
 } else {
      $gNumb = 0;
 }
...
Alex
  • 16,739
  • 1
  • 28
  • 51