Where is the error in the authorization script?

M

Maxim Spiridonov2014-09-28 11:16:18

PHP

Maxim Spiridonov, 2014-09-28 11:16:18

Wrote a lightweight authorization system for OPP, which in turn works on sessions.
Actually the function itself.

function login() {
    if (!empty($_POST)) {
      
          $login = mysql_real_escape_string(htmlspecialchars($_POST['login'])); //немного профильтруем логин
          $password = md5($_POST['password']); //хешируем пароль т.к. в базе именно хеш
      $user = $this->db->query("SELECT * FROM rust_users WHERE login = ? AND password = ?",$login,$password)->assoc();
          
      if (mysql_num_rows($user) == 1) {
       $row = mysql_fetch_assoc($user);
            $_SESSION['id'] == $row['id'];
                    $_SESSION['login'] == $row['login'];
                    setcookie("CookieMy", $row['id'], time()+60*60*24*10);
        
        //header("Location: /");
      } else
        $this->error = 'Неправильный емейл или пароль';
    }		
    $this->out('login.php');
  }

Error: Warning: mysql_num_rows() expects parameter 1 to be resource, null given in Y:\home\oop.ru\www\app\ctrlIndex.php on line 21. I understand that nothing comes in mysql_num_rows(), but I can't figure out why.

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

A

AlexP11223, 2014-09-28
@AlexP11223

Why are you trying to mix PDO and mysql_ functions?
And by what principle do you expose the indentation of the lines? Why do they jump so strangely and unpredictably?

C

cha-cha, 2014-09-28
@cha-cha

What OOP, what are you talking about? Mysql_* functions are everywhere.
discard md5. password_hash
htmlspecialchars to what? mysql_real_escape_string is also in the trash. PDO itself escapes when substituting a variable in place ?
Edit :
mysql/mysqli have nothing to do with PDO.

A

Andrey Ezhgurov, 2014-09-28
@eandr_67

1. When using prepared expressions (i.e. '?' in place of the parameter value in the query), no mysql_real_escape_string and other escaping functions are NEEDED !
There should be only: $login = htmlspecialchars(trim($_POST['login']));
2. There is a special crypt function for hashing a password. And new versions of PHP have a whole set of functions ru2.php.net/manual/ru/ref.password.php . When hashing, a salt must be added to the password.
3. If utf-8 (or another Unicode variant) is used, then the login needs to be further normalized - so that there are no different logins that look exactly the same on the outside:

$login = htmlspecialchars(trim(Normalizer::normalize($_POST['login'], Normalizer::FORM_KC)));

D

Denis, 2014-09-28
@cjbars

Most likely $user already has a ready-made array. And for mysql_num_rows you need an open connection to the database and a query. In the engine, most likely, the connection is already closed.
Try to replace
if (mysql_num_rows($user) == 1) {
with
if (count($user) == 1) {
And then, accordingly, work with the $user array
Instead:
$row = mysql_fetch_assoc($user);
$_SESSION['id'] == $row['id'];
do something like this
$_SESSION['id'] = $user['id']; (one equal sign to assign)