Is it possible to use functions inside a SQL query?

T

tester2020-06-29 17:40:31

PHP

tester, 2020-06-29 17:40:31

<?php
$login = filter_var(trim($_POST['login']),
    FILTER_SANITIZE_STRING);
$password = filter_var(trim($_POST['password']),
    FILTER_SANITIZE_STRING);

$mysql = new mysqli('localhost', 'root', '', 'register');
$result = $mysql->query("SELECT * FROM `users` WHERE `login` = '$login' AND 'password_verify($password, `password`)' = 1");

$mysql->close();
$user = $result->fetch_assoc();
if(count($user) == 0) {
    echo 'Не было найдено такого пользователя';
    exit();
}

How to verify a password using password_verify() ?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

M

Maxim, 2020-06-29
@tokmaganbet

Nuances when using SQL language functions:

Some part of the business logic goes into uncontrolled things like SQL. It is better to check the password exactly not with the SQL function, but with the PHP function. In this case, the code will fully comply with the business requirement and the tests will not work with the database.
Using SQL functions in queries ignores indexes. Therefore, on large data and complex queries, the execution time of such a query may increase.

R

Rsa97, 2020-06-29
@Rsa97

$mysql = new mysqli('localhost', 'root', '', 'register');
$stmt = $mysql->prepare("SELECT `password` FROM `users` WHERE `login` = ?");
$stmt->bind_param('s', $login);
$stmt->execute();
$stms->bind_result($hash);
if (!$stmt->fetch() || !password_verify($password, $hash)) {
  echo 'Error';
}