How to get login() > 0 for this rest api code [on hold]

49
January 12, 2019, at 6:00 PM

I need the result of this coding is login () > 0, where is the wrong code ?

public function getHash($password) {
    $salt = sha1(rand());
    $salt = substr($salt, 0, 10);
    $encrypted = password_hash($password.$salt, PASSWORD_DEFAULT);
    $hash = array("salt" => $salt, "encrypted" => $encrypted);
    return $hash;
}
public function verifyHash($password, $hash) {
    return password_verify($password, $hash);
}
private function login() {
    // Cross validation if the request method is POST else it will return "Not Acceptable" status
    if ($this->get_request_method() != "POST") {
        $this->response('', 406);
    }
    $username = $this->_request['username'];
    $password = $this->_request['password'];
    $return = null;
    if (!empty($username) and !empty($password)) {
        $sql = mysqli_query($this->db, "SELECT SALT,PASSWORD FROM `user` WHERE USERNAME = '".$username."' LIMIT 1");
        $query = mysqli_fetch_assoc($sql);
        $salt = $query['SALT'];
        $db_encrypted_password = $query['PASSWORD'];
        if ($this->verifyHash($password.$salt, $db_encrypted_password)) {
            $return = '1';
        }
    }
    return $return;
}

I want get the login() > 0 how is it ? where is the wrong code ? Im using other encrypt for password, because i think md5 is the old encryption right now, here the right code before I'm modified :

private function login() {
    // Cross validation if the request method is POST else it will return "Not Acceptable" status
    if ($this->get_request_method() != "POST") {
        $this->response('', 406);
    }
    $username = $this->_request['username'];
    $password = $this->_request['password'];
    $return = null;
    if (!empty($username) and !empty($password)) {
        $sql = mysqli_query($this->db, "SELECT IDUSER FROM `user` WHERE USERNAME = '".$username."' AND PASSWORD = '".md5($password)."' LIMIT 1");
        if (mysqli_num_rows($sql) > 0) {
            $result = mysqli_fetch_array($sql, MYSQLI_NUM);
            $return = $result[0];
        }
    }
    return $return;
}

That code will use for this code, if return result < 0 so the user can't getall table. here the code where need verification first from login() code.

function GetAll(){
    if($this->login() > 0){
        $table_name = $this->_request['table'];                 
        $conditions = $this->_request['conditions'];
        if(isset($this->_request['order_by']))
            $order_by = $this->_request['order_by'];    
        else 
            $order_by = null;          
        $sql0 = "SELECT * FROM ".$table_name." WHERE 1=1";
        if($conditions != null) {
            foreach($conditions as $key=>$value){
                $sql0 .= " AND {$key} = '${value}'";
            }
        }
        if($order_by != null) {
            $sql0 .=" ORDER BY ";
            foreach($order_by as $key=>$value){
                $sql0 .= " {$key} ${value}";
            }
        }  //  echo $sql0;
        $sql = mysqli_query($this->db, $sql0);  
        if(mysqli_num_rows($sql) > 0){
            while($row =  mysqli_fetch_array($sql, MYSQLI_ASSOC))
                $result[] = $row;
            $this->response($this->json($result), 200);
        }
    }
    $error = array('status' => "Failed", "msg" => "Sorry It's Not Working");
    $this->response($this->json($error), 400);
}   
Answer 1

You really need to use Prepared Statements. It is not a choice, it is a necessity.

You should use password_hash() instead of any other hashing method you can think of, because it is the safest choice and simplest. It already hashes your password with a unique salt. Don't add salt yourself and do not store it separately in DB. I made few fixes to your code, but you should do much more probably.

I changed your insecure query to a prepared statement. I have gotten rid of salt, and removed unneeded return $return.

Make sure that the field which stores password in your DB is at least VARCHAR(255) to fit the hash.

public function getHash($password) {
    $hashedNSalted = password_hash($password, PASSWORD_DEFAULT);
    return $hashedNSalted;
}
public function verifyHash($password, $hash) {
    return password_verify($password, $hash);
}
private function login() {
    // Cross validation if the request method is POST else it will return "Not Acceptable" status
    if ($this->get_request_method() != "POST") {
        $this->response('', 406);
    }
    $username = $this->_request['username'];
    $password = $this->_request['password'];
    if ($username and $password) {
        /* create a prepared statement */
        $stmt = mysqli_prepare($this->db, "SELECT password FROM `user` WHERE username=? LIMIT 1");
        /* bind parameters for markers */
        mysqli_stmt_bind_param($stmt, "s", $username);
        /* execute query */
        mysqli_stmt_execute($stmt);
        $result = mysqli_stmt_get_result($stmt);
        $row    = mysqli_fetch_assoc($result);
        return $this->verifyHash($password, $row['password'];
    }
    return false;
}
READ ALSO
Run a SQL statement in MySQL on each connection

Run a SQL statement in MySQL on each connection

I must be going nuts here, but I could swear I read about a configuration option in MySQL that will run the defined SQL statement on every successful connection to the database, with the cavet that it would not run for root or those with a certain privilege...

54
How to access a variable from a knex query inside of a second knex query?

How to access a variable from a knex query inside of a second knex query?

I have the following route where I want to get the sum associated to an id I get from the first query

20
How to break out values in a row to be in its own field based on a date value

How to break out values in a row to be in its own field based on a date value

In the Table Setup below you will see that the Amount data is broken down in various rows in the tableI am creating a view where i want to break this out where each Amount value is in its own field based on the CreatedDt field

24
SQL-queries in server.js or in react-component file?

SQL-queries in server.js or in react-component file?

I'm totally new at using Expressjs and React

44