6 Replies - 234 Views - Last Post: 04 May 2019 - 07:44 PM Rate Topic: -----

#1 anavies123   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 3
  • Joined: 04-May 19

How to post password to mysql database?

Posted 04 May 2019 - 12:56 AM

This json enabled iOS app is displaying a registration failed error when a registration attempt is made from the app that needs fixing. When adding the following line to display errors in the index.php file:

ini_set('display_errors', 1); ini_set('display_startup_errors', 1); error_reporting(E_ALL); 

The following notice is displayed

<br /><b>Notice</b>:  Undefined index: command in 
<b>/Applications/MAMP/htdocs/iReporter/index.php</b> on line 
<b>26</b><br />


Php code

// line 26
switch ($_POST['command']) {
case "login":
    login($_POST['username'], $_POST['password']); 
    break;

case "register":
    register($_POST['username'], $_POST['password']); 
    break;
Register and log in functions

// register API
function register($user, $pass) {

//check if username exists in the database (inside the "login" table)
$login = query("SELECT username FROM login WHERE username='%s' limit 1", $user);

if (count($login['result'])>0) {

    //the username exists, return error to the iPhone app
    errorJson('Username already exists');
}

//try to insert a new row in the "login" table with the given username and password
$result = query("INSERT INTO login(username, pass) VALUES('%s','%s')", $user, $pass);

if (!$result['error']) {
    //registration is successful, try to also directly login the new user
    login($user, $pass);
} else {
    //for some database reason the registration is unsuccessful
    errorJson('Registration failed');
}

}

//login API
function login($user, $pass) {

// try to match a row in the "login" table for the given username and password
$result = query("SELECT IdUser, username FROM login WHERE username='%s' AND pass='%s' limit 1", $user, $pass);

if (count($result['result'])>0) {
    // a row was found in the database for username/pass combination
    // save a simple flag in the user session, so the server remembers that the user is authorized
    $_SESSION['IdUser'] = $result['result'][0]['IdUser'];

    // print out the JSON of the user data to the iPhone app; it looks like this:
    // {IdUser:1, username: "Name"}
    print json_encode($result);
} else {
    // no matching username/password was found in the login table
    errorJson('Authorization failed');
}

}


Command being called from the iOS app

NSMutableDictionary* params =[NSMutableDictionary dictionaryWithObjectsAndKeys:command, @"command", fldUsername.text, @"username", hashedPassword, @"password", nil];


The app can still connect to the database since it shows the username already exists error when an existing username is tried in the registration process. Also, when
$pass = '';
is added to the register function, the user is authorized, and logged in, but a blank string is stored to the database. When trying:
$pass = $_POST['password'];
it doesn't work either. Where should the code be updated to complete the task?

Is This A Good Question/Topic? 0
  • +

Replies To: How to post password to mysql database?

#2 CTphpnwb   User is online

  • D.I.C Lover
  • member icon

Reputation: 3814
  • View blog
  • Posts: 13,870
  • Joined: 08-August 08

Re: How to post password to mysql database?

Posted 04 May 2019 - 05:45 AM

Yet another SQL injection attack waiting to happen!

Read this:
https://www.dreaminc...duction-to-pdo/
Now read it again.
Now implement it.
Was This Post Helpful? 0
  • +
  • -

#3 astonecipher   User is offline

  • Senior Systems Engineer
  • member icon

Reputation: 2836
  • View blog
  • Posts: 11,132
  • Joined: 03-December 12

Re: How to post password to mysql database?

Posted 04 May 2019 - 07:43 AM

And storing plain text passwords....
Was This Post Helpful? 0
  • +
  • -

#4 anavies123   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 3
  • Joined: 04-May 19

Re: How to post password to mysql database?

Posted 04 May 2019 - 09:50 AM

Ty for your reply CTphpnwb. I appreciate it. Do you think that would fix the problem?
Was This Post Helpful? 0
  • +
  • -

#5 CTphpnwb   User is online

  • D.I.C Lover
  • member icon

Reputation: 3814
  • View blog
  • Posts: 13,870
  • Joined: 08-August 08

Re: How to post password to mysql database?

Posted 04 May 2019 - 10:18 AM

The security problem, yes. Be sure to hash the password too. Edit: It looks like the IOS device hashes it, but check to be sure.
Then we can talk about your data issue.

This post has been edited by CTphpnwb: 04 May 2019 - 10:20 AM

Was This Post Helpful? 0
  • +
  • -

#6 anavies123   User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 3
  • Joined: 04-May 19

Re: How to post password to mysql database?

Posted 04 May 2019 - 02:08 PM

Yep. It hashes using

#define kSalt @"adlfu3489tyh2jnkLIUGI&%EV(&0982cbgrykxjnk8855"



NSMutableDictionary* params =[NSMutableDictionary dictionaryWithObjectsAndKeys:command, @"command", fldUsername.text, @"username", hashedPassword, @"password", nil];


The original code was from 2012. Source: https://www.raywende...ackend-part-1-2
Was This Post Helpful? 0
  • +
  • -

#7 CTphpnwb   User is online

  • D.I.C Lover
  • member icon

Reputation: 3814
  • View blog
  • Posts: 13,870
  • Joined: 08-August 08

Re: How to post password to mysql database?

Posted 04 May 2019 - 07:44 PM

View Postanavies123, on 04 May 2019 - 04:08 PM, said:

The original code was from 2012.

So then you're on a slow path towards learning why it's not a good idea to be a copy/paste programmer.

It's fine to copy/paste a code snippet, but only if you understand it.

This post has been edited by CTphpnwb: 04 May 2019 - 08:00 PM

Was This Post Helpful? 0
  • +
  • -

Page 1 of 1