英文:
Ways to Use mysqli_stmt_num_rows() To verify user credentials
问题
Here are the label numbers of the attempts that are invalid or incorrect ways to check for matching rows:
1, 2, 4, 8, 12, 13, 15, 16, 17, 19
These attempts have issues with their conditional statements or comparisons.
英文:
I need to check db for matching user credential on login script.
There must be atleast one matching row. Else, script should alert user not registered.
Need to check the db using the function mysqli_stmt_num_rows().
Assignment is to list all the various valid ways this function can be used to check for mathcing rows.
I conconcted 21 different ways. But I need your assistance to point-out the invalid attempts out of the 21 different attempts. That is all.
Note the 21 different IFs below. Note the comments on each. I queried the db using correct user credentials.
That means, mysqli_stmt_num_rows() should show '1'.
I have labeled my attempts from 1 to 21. I need you to give me the label numbers of the ones that are invalid.
On my tests, whichever attempt showed one matching row found, I put PASS on the comment beside it.
And, whichever attempt showed matching row NOT found, I put FAIL on the comment.
QUESTION: Which of these following 21 are invalid or incorrect way to check for matching rows ? Give me their label numbers.
Note, I know the difference between "=", "==" and "===".
And, I know the difference between "!=", "!==" and "!===".
I added some invalid checks just for experimental purposes.
Thanks
1
if(!$num_rows = mysqli_stmt_num_rows($stmt)) //FAILS
{
die('Incorrect User Credentials!');
}
2
if(!$num_rows==mysqli_stmt_num_rows($stmt)) //FAILS
{
die('Incorrect User Credentials!');
}
3
if($num_rows!=mysqli_stmt_num_rows($stmt)) //FAILS
{
die('Incorrect User Credentials!');
}
4
if($num_rows!==mysqli_stmt_num_rows($stmt)) //FAILS
{
die('Incorrect User Credentials!');
}
5
if($num_rows = mysqli_stmt_num_rows($stmt)!=1) //WORKS
{
die('Incorrect User Credentials!');
}
6
if($num_rows = mysqli_stmt_num_rows($stmt)!==1) //WORKS
{
die('Incorrect User Credentials!');
}
7
if($num_rows = mysqli_stmt_num_rows($stmt)<1) //WORKS
{
die('Incorrect User Credentials!');
}
8
if($num_rows = mysqli_stmt_num_rows($stmt)=0)//FAILS
{
die('Incorrect User Credentials!');
}
9
if($num_rows = mysqli_stmt_num_rows($stmt)==0)//WORKS
{
die('Incorrect User Credentials!');
}
10
if($num_rows = mysqli_stmt_num_rows($stmt)===0)//WORKS
{
die('Incorrect User Credentials!');
}
11
if(!mysqli_stmt_num_rows($stmt)) //FAILS
{
die('Incorrect User Credentials!');
}
12
if(mysqli_stmt_num_rows($stmt)=FALSE) //FAILS
{
die('Incorrect User Credentials!');
}
13
if(mysqli_stmt_num_rows($stmt)==FALSE) //FAILS
{
die('Incorrect User Credentials!');
}
14
if(mysqli_stmt_num_rows($stmt)===FALSE) //WORKS
{
die('Incorrect User Credentials!');
}
15
if(!mysqli_stmt_num_rows($stmt)=TRUE) //FAILS
{
die('Incorrect User Credentials!');
}
16
if(!mysqli_stmt_num_rows($stmt)==TRUE) //FAILS
{
die('Incorrect User Credentials!');
}
17
if(mysqli_stmt_num_rows($stmt)!=TRUE) //FAILS
{
die('Incorrect User Credentials!');
}
18
if(mysqli_stmt_num_rows($stmt)!==TRUE) //FAILS
{
die('Incorrect User Credentials!');
}
19
if(mysqli_stmt_num_rows($stmt)=NULL) //FAILS
{
die('Incorrect User Credentials!');
}
20
if(mysqli_stmt_num_rows($stmt)==NULL) //FAILS
{
die('Incorrect User Credentials!');
}
21
if(mysqli_stmt_num_rows($stmt)===NULL) //WORKS
{
die('Incorrect User Credentials!');
}
CONTEXT
$domain = trim($_POST['domain']);
$domain_email = trim($_POST['domain_email']);
$password_hashed = hash('sha256',trim($_POST['password']));
//Query DB.
//Check if User already registered or not.
mysqli_report(MYSQLI_REPORT_ERROR|MYSQLI_REPORT_STRICT);
$conn = mysqli_connect("localhost","root","","buzz"); //mysqli_connect("server","user","password","db");
$stmt = mysqli_stmt_init($conn);
//$sql = "SELECT id FROM domains WHERE password = ? AND (domain = ? OR domain_email = ?)";
$sql = "SELECT id FROM domains WHERE (domain = ? OR domain_email = ?) AND password = ?";
if(!mysqli_stmt_prepare($stmt,$sql))
{
echo __LINE__; echo '<br>';//DELETE
echo 'Mysqli Error: ' .mysqli_stmt_error(); //DEV MODE.
echo '<br>';
echo 'Mysqli Error No: ' .mysqli_stmt_errno(); //DEV MODE.
echo '<br>';
die('Login a Failure!');
}
else
{
echo __LINE__; echo '<br>';//DELETE
mysqli_stmt_bind_param($stmt,"sss",$domain,$domain_email,$password_hashed);
mysqli_stmt_execute($stmt);
mysqli_stmt_bind_result($stmt,$id);
if(!mysqli_stmt_fetch($stmt)) //This triggers if credentials are wrong.
{
echo __LINE__; echo '<br>';//DELETE
mysqli_stmt_close($stmt);
mysqli_close($conn);
die('Password fetching failed!');
}
else
{
echo __LINE__; echo '<br>';//DELETE
//if(!$num_rows = mysqli_stmt_num_rows($stmt)) //FAILS
//if(!$num_rows==mysqli_stmt_num_rows($stmt)) //FAILS
//if($num_rows!=mysqli_stmt_num_rows($stmt)) //FAILS
//if($num_rows!==mysqli_stmt_num_rows($stmt)) //FAILS
//if($num_rows = mysqli_stmt_num_rows($stmt)!=1) //WORKS
//if($num_rows = mysqli_stmt_num_rows($stmt)!==1) //WORKS
//if($num_rows = mysqli_stmt_num_rows($stmt)<1) //WORKS
//if($num_rows = mysqli_stmt_num_rows($stmt)=0)//FAILS
//if($num_rows = mysqli_stmt_num_rows($stmt)==0)//WORKS
//if($num_rows = mysqli_stmt_num_rows($stmt)===0)//WORKS
//if(!mysqli_stmt_num_rows($stmt)) //FAILS
//if(mysqli_stmt_num_rows($stmt)=FALSE) //FAILS
//if(mysqli_stmt_num_rows($stmt)==FALSE) //FAILS
//if(mysqli_stmt_num_rows($stmt)===FALSE) //WORKS
//if(!mysqli_stmt_num_rows($stmt)=TRUE) //FAILS
//if(!mysqli_stmt_num_rows($stmt)==TRUE) //FAILS
//if(mysqli_stmt_num_rows($stmt)!=TRUE) //FAILS
//if(mysqli_stmt_num_rows($stmt)!==TRUE) //FAILS
//if(mysqli_stmt_num_rows($stmt)=NULL) //FAILS
//if(mysqli_stmt_num_rows($stmt)==NULL) //FAILS
//if(mysqli_stmt_num_rows($stmt)===NULL) //WORKS
{
die('Incorrect User Credentials!');
}
mysqli_stmt_close($stmt);
mysqli_close($conn);
echo __LINE__; echo '<br>';//DELETE
echo 'password: ' .$password; echo '<br>';
echo 'hashed password: ' .$hashed_password; echo '<br>';
header('location: home_Template.php');
exit;
}
Experimented half the night and some test results confused me which I need clearing.
答案1
得分: 1
以下是翻译好的部分:
"None of the 21 ways you listed are correct or necessary. In fact, most of the code you showed is unnecessary or wrong. You should only stored secure hashes of passwords generated using password_hash()!
If you were to follow the best practice for generating passwords hashes, you would quickly see the futility of your current question. To check if the password is valid, you must use password_verify(); to do that, you must have the hash in the database.
So, here's how the code would work if you did it correctly:"
$domain = trim($_POST['domain']);
$domain_email = trim($_POST['domain_email']);
//Query DB.
//Check if User already registered or not.
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$conn = mysqli_connect("localhost", "root", "", "buzz");
$sql = "SELECT hashed_password FROM domains WHERE domain = ? OR domain_email = ?";
$stmt = mysqli_prepare($stmt, $sql);
mysqli_stmt_bind_param($stmt, "ss", $domain, $domain_email);
mysqli_stmt_execute($stmt);
$hashFromDatabase = mysqli_fetch_column(mysqli_stmt_get_result($stmt));
if ($hashFromDatabase !== false && password_verify($_POST['password'], $hashFromDatabase)) {
header('location: home_Template.php');
exit;
}
// Here you show the log in form again, with an appropriate message saying credentials are invalid.
英文:
None of the 21 ways you listed are correct or necessary. In fact, most of the code you showed is unnecessary or wrong.
You should only stored secure hashes of passwords generated using password_hash()!
If you were to follow the best practice for generating passwords hashes, you would quickly see the futility of your current question. To check if the password is valid, you must use password_verify(); to do that, you must have the hash in the database.
So, here's how the code would work if you did it correctly:
<?php
$domain = trim($_POST['domain']);
$domain_email = trim($_POST['domain_email']);
//Query DB.
//Check if User already registered or not.
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$conn = mysqli_connect("localhost", "root", "", "buzz");
$sql = "SELECT hashed_password FROM domains WHERE domain = ? OR domain_email = ?";
$stmt = mysqli_prepare($stmt, $sql);
mysqli_stmt_bind_param($stmt, "ss", $domain, $domain_email);
mysqli_stmt_execute($stmt);
$hashFromDatabase = mysqli_fetch_column(mysqli_stmt_get_result($stmt));
if ($hashFromDatabase !== false && password_verify($_POST['password'], $hashFromDatabase)) {
header('location: home_Template.php');
exit;
}
// Here you show the log in form again, with an appropriate message saying credentials are invalid.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论