T
T
tester2020-06-29 17:40:31
PHP
tester, 2020-06-29 17:40:31

Is it possible to use functions inside a SQL query?

<?php
$login = filter_var(trim($_POST['login']),
    FILTER_SANITIZE_STRING);
$password = filter_var(trim($_POST['password']),
    FILTER_SANITIZE_STRING);

$mysql = new mysqli('localhost', 'root', '', 'register');
$result = $mysql->query("SELECT * FROM `users` WHERE `login` = '$login' AND 'password_verify($password, `password`)' = 1");

$mysql->close();
$user = $result->fetch_assoc();
if(count($user) == 0) {
    echo 'Не было найдено такого пользователя';
    exit();
}


How to verify a password using password_verify() ?

Answer the question

In order to leave comments, you need to log in

3 answer(s)
M
Maxim, 2020-06-29
@tokmaganbet

Nuances when using SQL language functions:

  • Some part of the business logic goes into uncontrolled things like SQL. It is better to check the password exactly not with the SQL function, but with the PHP function. In this case, the code will fully comply with the business requirement and the tests will not work with the database.
  • Using SQL functions in queries ignores indexes. Therefore, on large data and complex queries, the execution time of such a query may increase.

R
Rsa97, 2020-06-29
@Rsa97

$mysql = new mysqli('localhost', 'root', '', 'register');
$stmt = $mysql->prepare("SELECT `password` FROM `users` WHERE `login` = ?");
$stmt->bind_param('s', $login);
$stmt->execute();
$stms->bind_result($hash);
if (!$stmt->fetch() || !password_verify($password, $hash)) {
  echo 'Error';
}

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question