-1

I'm make a login/register pdo php script, and im wondering if i can get any help about transfer it to Prepared statments

I've already tried to make the Prepared statments but has alot of issues i am new to pdo and php so if i can get some help it would be nice

<?php

require_once 'connection.php';

session_start();

if(isset($_SESSION["user_login"]))  //check condition user login not direct back to index.php page
{
    header("location: index.php");
}

// REGISTERR
if(isset($_REQUEST['btn_register'])) //button name "btn_register"
{
    $username   = strip_tags($_REQUEST['txt_username']);    //textbox name "txt_email"
    $email      = strip_tags($_REQUEST['txt_email']);       //textbox name "txt_email"
    $password   = strip_tags($_REQUEST['txt_password']);    //textbox name "txt_password"
    $ip_address = $_SERVER['REMOTE_ADDR'];  
    if(empty($username)){
        $errorMsg[]="Please enter username";    //check username textbox not empty 
    }
    else if(empty($email)){
        $errorMsg[]="Please enter email";   //check email textbox not empty 
    }
    else if(!filter_var($email, FILTER_VALIDATE_EMAIL)){
        $errorMsg[]="Please enter a valid email address";   //check proper email format 
    }
    else if(empty($password)){
        $errorMsg[]="Please enter password";    //check passowrd textbox not empty
    }
    else if(strlen($password) < 6){
        $errorMsg[] = "Password must be atleast 6 characters";  //check passowrd must be 6 characters
    }
    else
    {   
        try
        {   
            $select_stmt=$db->prepare("SELECT username, email FROM customers 
                                        WHERE username=:uname OR email=:uemail"); // sql select query

            $select_stmt->execute(array(':uname'=>$username, ':uemail'=>$email)); //execute query 
            $row=$select_stmt->fetch(PDO::FETCH_ASSOC); 

            if($row["username"] ==$username){
                $errorMsg[]="Sorry username already exists";    //check condition username already exists 
            }
            else if($row["email"] ==$email){
                $errorMsg[]="Sorry email already exists";   //check condition email already exists 
            }
            else if(!isset($errorMsg)) //check no "$errorMsg" show then continue
            {
                $new_password = password_hash($password, PASSWORD_DEFAULT); //encrypt password using password_hash()

                $insert_stmt=$db->prepare("INSERT INTO customers    (username,email,password) VALUES
                                                                (:uname,:uemail,:upassword)");      //sql insert query                  

                if($insert_stmt->execute(array( ':uname'    =>$username, 
                                                ':uemail'   =>$email, 
                                                ':upassword'=>$new_password))){

                    $registerMsg="Register Successful..... Please Click On Login Account Link"; //execute query success message
                }
            }
        }
        catch(PDOException $e)
        {
            echo $e->getMessage();
        }
    }
}

if(isset($_REQUEST['btn_login']))   //button name is "btn_login" 
{
    $username   =strip_tags($_REQUEST["txt_username_email"]);   //textbox name "txt_username_email"
    $email      =strip_tags($_REQUEST["txt_username_email"]);   //textbox name "txt_username_email"
    $password   =strip_tags($_REQUEST["txt_password"]);         //textbox name "txt_password"

    if(empty($username)){                       
        $errorMsg[]="please enter username or email";   //check "username/email" textbox not empty 
    }
    else if(empty($email)){
        $errorMsg[]="please enter username or email";   //check "username/email" textbox not empty 
    }
    else if(empty($password)){
        $errorMsg[]="please enter password";    //check "passowrd" textbox not empty 
    }
    else
    {
        try
        {
            $select_stmt=$db->prepare("SELECT * FROM customers WHERE username=:uname OR email=:uemail"); //sql select query
            $select_stmt->execute(array(':uname'=>$username, ':uemail'=>$email));   //execute query with bind parameter
            $row=$select_stmt->fetch(PDO::FETCH_ASSOC);

            if($select_stmt->rowCount() > 0)    //check condition database record greater zero after continue
            {
                if($username ==$row["username"] OR $email ==$row["email"]) //check condition user taypable "username or email" are both match from database "username or email" after continue
                {
                    if(password_verify($password, $row["password"])) //check condition user taypable "password" are match from database "password" using password_verify() after continue
                    {
                        $_SESSION["user_name"] = $row["username"];
                        $_SESSION["user_login"] = $row["id"];   //session name is "user_login"
                        $loginMsg = "Successful Login...";      //user login success message
                        header("refresh:2; index.php");         //refresh 2 second after redirect to "index.php" page
                    }
                    else
                    {
                        $errorMsg[]="Wrong password";
                    }
                }
                else
                {
                    $errorMsg[]="Wrong username or email";
                }
            }
            else
            {
                $errorMsg[]="Wrong username or email";
            }
        }
        catch(PDOException $e)
        {
            $e->getMessage();
        }       
    }
}
?>

I would love to get the code to be fully Prevent Sqli Injection, cause im new and i think i have some sqli injection possible on the code.

S. Osher
  • 1
  • 1
  • 1
    _I've already tried to make the Prepared statments but has alot of issues_. which issues are we talking about **specifically**? – Kevin Aug 08 '19 at 04:01
  • I am very bad at make the Preared as i said im a bit new, and what i did is look into google and try switch functions but it gaves me kind of errors, and i am working on it like 2/3hours. the code is from google and i just migrate things to the code. i would love to get support. – S. Osher Aug 08 '19 at 04:10
  • 1
    its not about how new your are to prepared statement issue is. what im referring to is the specific error that you're having. what errors? you need to say what errors you're having, again **specifically**. look at the answer below, its incorrect and he's guessing, because he doesn't have any specific standpoint to start with – Kevin Aug 08 '19 at 04:37
  • maybe you should read this first https://stackoverflow.com/questions/3726505/how-to-squeeze-error-message-out-of-pdo – Kevin Aug 08 '19 at 04:39

1 Answers1

0

In above fashion, you need to bind parameter one by one like below 

// for select statement
$select_stmt = $db->prepare("SELECT username, email FROM customers  
                        WHERE username=:uname OR email=:email");
// I assume $username and $eamil both hold some value
$select_stmt->bindParam(':uname', $username, PDO::PARAM_STR);
$select_stmt->bindParam(':email', $email, PDO::PARAM_STR);
$select_stmt->execute();

// for insert statement
$insert_stmt = $db->prepare("INSERT INTO customers (username,email,password)
                            VALUES (:uname,:uemail,:upassword)");
// bind parameters like and I assume $username, $eamil and $new_passwrod hold some value
$insert_stmt->bindParam(':uname', $username, PDO::PARAM_STR);
$insert_stmt->bindParam(':email', $email, PDO::PARAM_STR);
$insert_stmt->bindParam(':upassword', $new_password, PDO::PARAM_STR);
$insert_stmt->execute();

If you would like to pass them in array then you have to do like follow

$select_stmt = $db->prepare("SELECT username, email FROM customers  
                        WHERE username=? OR email=?");
$select_stmt->execute([$username, $email]);
Dharman
  • 30,962
  • 25
  • 85
  • 135
Veshraj Joshi
  • 3,544
  • 3
  • 27
  • 45